Re: Client TLS 1.2 error for APR

Mark Thomas Wed, 13 Jan 2016 11:59:11 -0800

On 13/01/2016 18:36, Harrie Robins wrote:
> Hi!
> 
> I'm running Tomcat 7.0.65 with APR connector over port 443.


Tomcat version - tick
Connector config - tick
Tomcat-Native version ... ?

Mark

> I'm experiencing
> trouble with users that connect with IE11 over SSL. Connecting and browsing
> works fine, but sometimes a white screen with this error pops up. Once they
> disable TLS 1.2 everything works fine:
> 
>  
> 
> This page can't be displayed
> 
> Turn on TLS 1.0, TLS1.1 and TLS 1.2 in Advanced settings and try connecting
> to https://sub.example.com again. If this error persists, contact your site
> administrator.
> 
>  
> 
> Right now I'm using SHA-2 encryption (we moved from SHA-1) with A+ rating on
> SSLLabs, without any error's.
> 
>  
> 
> Server.xml configuration. Ciphers following latest intermediate from Mozilla
> openssl config:
> 
>  
> 
> <Connector port="443"
> 
> protocol="org.apache.coyote.http11.Http11AprProtocol"
> 
> connectionTimeout="6000"
> 
> maxThreads="500"
> 
> maxKeepAliveRequests="-1"
> 
> acceptCount="200"
> 
> SSLEnabled="true"
> 
> scheme="https"
> 
> secure="true"
> 
> clientAuth="false"
> 
> enableLookups="false"
> 
> SSLCertificateFile="C:\server\ssl\server.crt"
> 
> SSLCertificateKeyFile="C: \server\ssl\private.key"
> 
> SSLCACertificateFile="C: \server\ssl\intermediate.crt"
> 
> SSLPassword="passw"
> 
> SSLProtocol="all -SSLv2-SSLv3"
> 
> SSLHonorCipherOrder="true"
> SSLCipherSuite="ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:EC
> DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-S
> HA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-EC
> DSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES2
> 56-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-
> SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-A
> ES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-
> GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DE
> S-CBC3-SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_128_CBC
> _SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:
> !EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!DHE:!EDH"
> 
> />
> 
>  
> 
> Does anyone have a pointer about what could be wrong with this
> configuration?
> 
>  
> 
> Kind regards,
> 
>  
> 
> Harrie
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Client TLS 1.2 error for APR

Reply via email to