James,
One more tidbit (perhaps you already saw this).
https://www.400power.com/node/323
Sounds a bit like what you are experiencing?
Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java
GIAC Cloud Penetration Tester
AWS Certified Cloud Practitioner
Microsoft Certified: Azure Fundamentals
On 1/2/2025 4:34 PM, Christopher Schultz wrote:
James,
On 1/2/25 2:45 PM, James H. H. Lampert wrote:
On 1/2/25 10:38 AM, Christopher Schultz wrote:
Is it possible that you are using a self-signed cert in this case?
If you do not import the signed certificate properly into the
keystore, you can end up with your private key+cert separate from
the signed one from the CA.
If you only have a single item in the keystore, that's not the issue
but double-check the Issuer and Subject of the cert. They should be
different if you are using a CA -- even if it's an internal CA like
My-Company-CA or whatever.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH really suggests Chrome doesn't
like the TLS protocol version or can't match a cipher suite but that
doesn't jive with your Qualys results. You are hitting this Tomcat
instance directly, right? Not through a proxy or anything that might
be performing its own TLS handshake that isn't Tomcat?
None of these possibilities explain why Firefox and Qualys/SSLLabs
found nothing amiss.
Yeah, this was why I was asking if maybe there was a load-balancer in
the mix somewhere making everything "work" but I guess... not work. In
retrospect, it was a dumb question :)
And the keystore appears to be just fine: just one chain, with the CA
reply imported properly into the subject cert, and the supporting
certs chained but not imported.
There is no difference between chained and imported. If they are in
the keystore (and are chained) then they are used. If not, then they
obviously can't be used. "Import" just means putting the item into the
keystore.
And yes, the Tomcat instance is being accessed directly.
It wouldn't be the first time I've seen things I can't explain. And
they are the only customer installation that hasn't been migrated to
*at least* Tomcat 8, and I put a note about the anomaly in their
records.
Well, I'm happy it's working for you under at least one configuration.
Migrating forward to Tomcat 9 should obviously be on their schedule.
I'm not sure what market sector they are in, but it's possible they
are violating a required best practice, here: you shouldn't be running
unsupported software. That said, there is at least one company I know
of that will provide support for Tomcat 7 including back-porting all
security fixes, etc. if your customer (or you, since you are the
software provider) needs such paid support.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
