James,
On 12/29/24 2:30 PM, James H. H. Lampert wrote:
Testing with the "bad" configuration (i.e., no keyAlias clause), Firefox
still reports "DLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 128 bit keys, TLS
1.2" and Chrome still rejects the site outright.
Do you have a capture of the exact error? Handshake errors typically
include at least a terse amount of detail.
And the relevant sections of an SSLLabs scan, so far as I can determine,
look *exactly like the sections I saved as a PDF Friday (and I saved the
relevant sections as a PDF because that was the easiest way to visually
compare the saved report to the live one).
The only difference I can see is that unlike other customer
installations that are on either Tomcat 8 or Tomcat 9, and work just
fine without the keyAlias clause, this one installation is on Tomcat 7,
because the OS version, available Java versions, and PTF level (of both
the OS and the Java) don't get along well with Tomcat 8, and aren't
expected to get along at all with Tomcat 9.
It makes no sense to me.
The keyAlias should only be necessary if there are multiple entries in
your keystore. If you have exactly one "PrivateKeyEntry" in your key
store then it shouldn't matter at all.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
