This afternoon, I was doing a routine certificate update for a customer (cert in a Java Keystore), and when I restarted, Firefox worked just fine with the site, but Chrome kept insisting it couldn't negotiate a cipher.
The customer in question is still on Tomcat 7, because for some reason (maybe having to do with the IBM Midrange box it's running on is WAAayyyy behind on PTFs). I shut them down, swapped in the new keystore (which I already had pre-staged), and I promptly discovered that I'd used a different alias for the cert. So I went into server.xml, found the connector, and removed the keyAlias clause completely: after all, there's only one chain in the keystore, and we've had plenty of connectors that work just fine with no keyAlias clause. This one didn't. It came back up, and it worked fine with Firefox and Safari, but Chrome kept insisting that it couldn't negotiate a cipher. I looked at it in SSLlabs, and everything looked just fine. I switched it back to the old keystore, and Chrome still rejected it, with the same claim. Finally, I put the keyAlias clause back in, restarted, and it worked just fine with Chrome. So I shut it back down, switched to the new keystore, plugged the new alias into the keyAlias clause, and brought it back up, and it still worked just fine. I've added a note (in large, boldface, cranberry type) to the customer's records, saying to always have a keyAlias clause, but I'm still left with one nagging question: What the <censored> just happened? -- James H. H. Lampert Touchtone Corporation --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
