On 1/2/25 10:38 AM, Christopher Schultz wrote:
Is it possible that you are using a self-signed cert in this case? If
you do not import the signed certificate properly into the keystore, you
can end up with your private key+cert separate from the signed one from
the CA.
If you only have a single item in the keystore, that's not the issue but
double-check the Issuer and Subject of the cert. They should be
different if you are using a CA -- even if it's an internal CA like
My-Company-CA or whatever.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH really suggests Chrome doesn't like
the TLS protocol version or can't match a cipher suite but that doesn't
jive with your Qualys results. You are hitting this Tomcat instance
directly, right? Not through a proxy or anything that might be
performing its own TLS handshake that isn't Tomcat?
None of these possibilities explain why Firefox and Qualys/SSLLabs found
nothing amiss. And the keystore appears to be just fine: just one chain,
with the CA reply imported properly into the subject cert, and the
supporting certs chained but not imported.
And yes, the Tomcat instance is being accessed directly.
It wouldn't be the first time I've seen things I can't explain. And they
are the only customer installation that hasn't been migrated to *at
least* Tomcat 8, and I put a note about the anomaly in their records.
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
