James, On 12/19/24 11:15 PM, James Lampert wrote:
This afternoon, I was doing a routine certificate update for a customer (cert in a Java Keystore), and when I restarted, Firefox worked just fine with the site, but Chrome kept insisting it couldn't negotiate a cipher.
What cipher suite did Firefox successfully negotiate?
The customer in question is still on Tomcat 7, because for some reason (maybe having to do with the IBM Midrange box it's running on is WAAayyyy behind on PTFs). I shut them down, swapped in the new keystore (which I already had pre-staged), and I promptly discovered that I'd used a different alias for the cert. So I went into server.xml, found the connector, and removed the keyAlias clause completely: after all, there's only one chain in the keystore, and we've had plenty of connectors that work just fine with no keyAlias clause. This one didn't. It came back up, and it worked fine with Firefox and Safari, but Chrome kept insisting that it couldn't negotiate a cipher. I looked at it in SSLlabs, and everything looked just fine. I switched it back to the old keystore, and Chrome still rejected it, with the same claim. Finally, I put the keyAlias clause back in, restarted, and it worked just fine with Chrome. So I shut it back down, switched to the new keystore, plugged the new alias into the keyAlias clause, and brought it back up, and it still worked just fine.
When you got Chrome working again, which cipher suite did it successfully negotiate? If you try in this configuration with Firefox, which cipher suite is successfully negotiated?
What does SSLLabs say for each of the two configurations in terms of supported cipher suites?
Do the keys used in both cases have similar qualities (e.g. key type RSA-vs-EC, same bit count, and same-curve for EC)?
I've added a note (in large, boldface, cranberry type) to the customer's records, saying to always have a keyAlias clause, but I'm still left with one nagging question: What the <censored> just happened?
Tomcat needs to select the right key and cert from the keystore so if that's wrong things won't work. But the way you describe them not-working is odd. Typically, if Tomcat can't find the key+cert, the connector will simply fail to initialize and you won't be able to connect to it AT ALL.
-chris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
