-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Thomas,
On 12/21/17 5:24 PM, Thomas Delaney wrote: > Thank you for the input so far! > > I have used both java versions jdk 1.7.0_79 and jdk1.8.0_152 and > still receive the same result > > when running the openssl s_client command I recieved this as the > Cipher and SSL version Protocol : TLSv1.2 Cipher : > DHE-RSA-AES256-GCM-SHA384 Good, OpenSSL can connect which means that TLS is at least set up properly and running. > I also get a message saying "verify error:num=20:unable to get > local issuer certificate" "Verify return code: 20 (unable to get > local issuer certificate)" That's not a problem, especially if you are using a self-signed certificate or a CA that OpenSSL doesn't recognize. If you can't use SSLLabs's test, you might be able to use this one: https://wiki.apache.org/tomcat/tools/SSLTest.java (and) https://wiki.apache.org/tomcat/tools/SSLUtils.java - -chris > On Thu, Dec 21, 2017 at 2:31 PM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > > Peter, > > On 12/21/17 2:38 AM, l...@kreuser.name wrote: >>>> >>>> Hi Thomas, >>>> >>>>> Am 21.12.2017 um 00:56 schrieb Thomas Delaney >>>>> <tdelaney....@gmail.com>: >>>>> >>>>> Greetings, >>>>> >>>>> I am having trouble regarding google chrome's behavior to >>>>> Apache Tomcat's SSL setup. I have been successful getting >>>>> an ssl website to work with Apache HTTP web server, but not >>>>> Apache Tomcat 8.5.24 on google chrome. Mozilla Firefox >>>>> brings me to my site with no problem. >>>>> >>>>> When going to https://mydomain.com:8443 I recieve a message >>>>> from Google Chrome. >>>>> >>>>> Google Chrome Error - This site can’t provide a secure >>>>> connection mydomain.com uses an unsupported protocol. >>>>> ERR_SSL_VERSION_OR_CIPHER_MISMATCH >>>>> >>>>> Unsupported protocol The client and server don't support a >>>>> common SSL protocol version or cipher suite. >>>>> >>>>> When checking Google Chrome's Browser console in the >>>>> security tab I recieve: Page is not secure Valid >>>>> certificate secure resources >>>>> >>>>> Here is the following background info I have for the >>>>> configuration I gave Apache Tomcat when setting up the >>>>> 8443 connector >>>>> >>>>> Chrome Version 63.0.3239.108 (Official Build) (64-bit) >>>>> >>>>> Linux OS: SUSE Enterprise 12 sp1 >>>>> >>>>> Packages installed: >>>>> >>>>> - OpenSSL 1.0.2n 7 Dec 2017 - jdk version 1.7.0_79 >>>> >>>> That may be the culprit. >>>> >>>> Apparently this (old) version of Java7 will not provide in >>>> the default modern ciphers that Chrome requires. And the >>>> config is using the JSSE SSL implementation. But as you have >>>> TC Native and openssl 1.0.2 you should switch to openssl. > > This probably isn't the problem since Thomas is using the APR > connector. TLS cipher suite support (or lack thereof) from Java 1.7 > is not relevant. > >>>>> - tomcat version -> apache-tomcat-8.5.24 - apr-1.6.3 - >>>>> tomcat-native-1.2.16-src >>>>> >>>>> Server.xml apr connector (Certificates are signed from >>>>> GoDaddy and are placed in the conf directory of Apache >>>>> Tomcat): >>>>> >>>>> <Connector port="8443" >>>>> protocol="org.apache.coyote.http11.Http11AprProtocol" >>>>> maxThreads="150" SSLEnabled="true" >>>>> defaultSSLHostConfigName=" mydomain.com" > <SSLHostConfig >>>>> hostName="mydomain.com" protocols="TLSv1,TLSv1.1,TLSv1.2"> >>>>> <Certificate certificateKeyFile="conf/server.key" >>>>> certificateFile="conf/server.crt" >>>>> certificateChainFile="conf/CA_server_bundle.crt" type="RSA" >>>>> /> </SSLHostConfig> </Connector> > > This looks okay to me. If you start Tomcat and then use "openssl > s_client -connect <hostname>:<port>", does openssl connect? It > should report the protocol and cipher suite being used to connect. > > If you server is externally-accessible, consider using an external > TLS capabilities scanner such as that from Qualys, > https://www.ssllabs.com/ssltest/ > > -chris >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlo9SQIdHGNocmlzQGNo cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFinRxAAgr+i0PtFCGPAqWJ7 Y0VvfFSGPsQCiUz3qkp9mCiXCl87TLy5PrbpPT9avDyTjjtA1gbl16goc4jtB5zt zcjZuasQkwz9cDMkmlJ4T0USd/TfepJXbssaqi7tLUxFM0dBChoP7uzprO7HF3hE yqGD7nm1YEDcSgVqXrx8FkHA5D9hY1yP47djPkJL9/yxWunc1BqeoJ2JMoXLX7Sx 78LYywT1oYm1fj+UP6wacKDU/6gZINBQsLRmCVkpE4iYlyUnswdo4FChSQb9HTMp pK0nyCVXG4RWPO90qCdSbuTZmIy0WvHxZL9O6CSkBdIycz09nYDVxTQQuyJusrYh 35BGCxzAgRfoj9bu04O6ezXoIpmWXLB48cFu5BrhX2I6/WXy/a9SSCzgaztj9rGS X/9TFrI7DvOkMw0VCI162159QpuzcpRG0H13VGq36ldqdfrQ0DUYSqSwuS36I+2P aIJ2vY6T0P7G5KBg4uqKyTDTwNq5zANRpJqMfQkQHD3fh0tHT35dBWj46aFBtXrq YUT2O99eA459XMGKl6j85d4LU3aSU35EK7xSqUQmWGHpgjDXMcktcF9opV3Tdb1h n13Yjr6Oyj0M4XUYNSAI73FXgd7VP5x51ttTI4hgXdPbGz/4e4QYpDmNmfLRhtvP wsWEKfnZA/BDDX3ES3x0cioAzV8= =zAMc -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
