The site is internal so I won't not be able to check via ssllabs On Thu, Dec 21, 2017 at 5:36 PM, George S. <geor...@mhsoftware.com> wrote:
> On 12/21/2017 3:24 PM, Thomas Delaney wrote: > >> Thank you for the input so far! >> >> I have used both java versions jdk 1.7.0_79 and jdk1.8.0_152 and still >> receive the same result >> >> when running the openssl s_client command I recieved this as the Cipher >> and >> SSL version >> Protocol : TLSv1.2 >> Cipher : DHE-RSA-AES256-GCM-SHA384 >> >> I also get a message saying "verify error:num=20:unable to get local >> issuer certificate" >> "Verify return code: 20 (unable to get local issuer certificate)" >> > > I second Chris Schultz's recommendation that you run the site through the > SSL Labs testing site and see what it points out. It's going to check a lot > more things right off the bat and display them in an easier format: > > https://www.ssllabs.com/ssltest/ > > > > > >> On Thu, Dec 21, 2017 at 2:31 PM, Christopher Schultz < >> ch...@christopherschultz.net> wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA256 >>> >>> Peter, >>> >>> On 12/21/17 2:38 AM, l...@kreuser.name wrote: >>> >>>> Hi Thomas, >>>> >>>> Am 21.12.2017 um 00:56 schrieb Thomas Delaney >>>>> <tdelaney....@gmail.com>: >>>>> >>>>> Greetings, >>>>> >>>>> I am having trouble regarding google chrome's behavior to Apache >>>>> Tomcat's SSL setup. I have been successful getting an ssl website >>>>> to work with Apache HTTP web server, but not Apache Tomcat 8.5.24 >>>>> on google chrome. Mozilla Firefox brings me to my site with no >>>>> problem. >>>>> >>>>> When going to https://mydomain.com:8443 I recieve a message from >>>>> Google Chrome. >>>>> >>>>> Google Chrome Error - This site can’t provide a secure >>>>> connection mydomain.com uses an unsupported protocol. >>>>> ERR_SSL_VERSION_OR_CIPHER_MISMATCH >>>>> >>>>> Unsupported protocol The client and server don't support a common >>>>> SSL protocol version or cipher suite. >>>>> >>>>> When checking Google Chrome's Browser console in the security tab >>>>> I recieve: Page is not secure Valid certificate secure resources >>>>> >>>>> Here is the following background info I have for the >>>>> configuration I gave Apache Tomcat when setting up the 8443 >>>>> connector >>>>> >>>>> Chrome Version 63.0.3239.108 (Official Build) (64-bit) >>>>> >>>>> Linux OS: SUSE Enterprise 12 sp1 >>>>> >>>>> Packages installed: >>>>> >>>>> - OpenSSL 1.0.2n 7 Dec 2017 - jdk version 1.7.0_79 >>>>> >>>> That may be the culprit. >>>> >>>> Apparently this (old) version of Java7 will not provide in the >>>> default modern ciphers that Chrome requires. And the config is >>>> using the JSSE SSL implementation. But as you have TC Native and >>>> openssl 1.0.2 you should switch to openssl. >>>> >>> This probably isn't the problem since Thomas is using the APR >>> connector. TLS cipher suite support (or lack thereof) from Java 1.7 is >>> not relevant. >>> >>> - tomcat version -> apache-tomcat-8.5.24 - apr-1.6.3 - >>>>> tomcat-native-1.2.16-src >>>>> >>>>> Server.xml apr connector (Certificates are signed from GoDaddy >>>>> and are placed in the conf directory of Apache Tomcat): >>>>> >>>>> <Connector port="8443" >>>>> protocol="org.apache.coyote.http11.Http11AprProtocol" >>>>> maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName=" >>>>> mydomain.com" > <SSLHostConfig hostName="mydomain.com" >>>>> protocols="TLSv1,TLSv1.1,TLSv1.2"> <Certificate >>>>> certificateKeyFile="conf/server.key" >>>>> certificateFile="conf/server.crt" >>>>> certificateChainFile="conf/CA_server_bundle.crt" type="RSA" /> >>>>> </SSLHostConfig> </Connector> >>>>> >>>> This looks okay to me. If you start Tomcat and then use "openssl >>> s_client -connect <hostname>:<port>", does openssl connect? It should >>> report the protocol and cipher suite being used to connect. >>> >>> If you server is externally-accessible, consider using an external TLS >>> capabilities scanner such as that from Qualys, >>> https://www.ssllabs.com/ssltest/ >>> >>> - -chris >>> -----BEGIN PGP SIGNATURE----- >>> Comment: GPGTools - http://gpgtools.org >>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ >>> >>> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlo8C/0dHGNocmlzQGNo >>> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiayA//Ugc6nwLR2yddEvDc >>> eqwBYhDib1AZlx2m2iju1tBngWu8Wr/x+MsHTZq+tTzKqPXrvXeTqd3AiBVZhBFf >>> 8mwGZdf7dmcXZeCYgAVk+p7QxWpPt0hM27KJPeSXNCclrkG3REAPf5XkQBJx6Spr >>> W7/JbejXooYl27D6+iHg+SsaMNnMuq1nPm0kCP1UyEN40bHzWqHfZbtgfi+wrKB+ >>> ldJ/fRzMdUO+FMWosuCteHL5CoDotTUSuztWtjGA/raXgX2UJg1LvKxmhYU8mcA1 >>> noMdpbQX6wYP/XtcKvIplHUJj8UUgZbe5bndDLw7HV2Im3wdN/659GpdAbEBN9EY >>> O1gQRLVIyvO0XuY7RpDP7RNjbw8Sp7H1Y2Ptou3yJ3dezRQz9vi9M8i78OeEEfMp >>> 5ZfxaN+bZoT0WteHpbR243DcFzO+HbShPEiSL0zKlltR2qzWBMXd+9XjjkIU8JeF >>> mfqxdN6HBS5YXOT0IJcd6+uw3FTh2vPEf64K5r4hpIsWxvpmbkYqNIf4GQGuqS7c >>> nm6gsOP6Wd/PiL67mVClJ6cN9LEPEqxs2QivK2/zzBcmYunXQK0GAbi25C5tG9Ha >>> 4zB5VuRo0IjPmEKnRuqfZ2KcOVCQaJFbWgV0dJ9UWb7vO5662hYvSssX7jS6or5e >>> /aq7VBV+GiEaWzZweAi8/k4R3wk= >>> =DEHk >>> -----END PGP SIGNATURE----- >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >>> > -- > George S. > *MH Software, Inc.* > > Voice: 303 438 9585 > http://www.mhsoftware.com >
