-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 John,
On 9/27/16 11:57 AM, Fuchs, John J. wrote: > Certainly late on the SHA-2 move from SHA-1 SSL certificates but > ours hadn't expired yet and wasn't causing any issues. Our > environment is Windows Server 2008 R2, JVM 1.6.0_22-b04 and Apache > Tomcat 6.0.26. Heh. You're certainly late on upgrading *everything* ;) > I'm testing replacement of my soon to expire SHA-1 certificate with > an SHA-2. Regardless of what I give as the SSL HTTP / 1.1 > connector description in server.xml I get invalid ssl conf and > cipher error messages in the catalina.log file. In server.xml in > place of the ciphers= parameter I've tried: the current line which > has worked since 2013 with the SHA-1 certificate, removed the > ciphers=, ciphers=HIGH, ciphers=RSA, ciphers=ALL and then the same > existing line but with all of the 128's as 256's. <Connector> configuration? Remember to remove any sensitive passwords, etc. What are all the new versions of everything? Or are you still using the complete old stack with nothing changing but the certificate itself? > The output in catalina.log is: > > SEVERE: Error initializing endpoint java.io.IOException: > jsse.invalid_ssl_conf Well THAT'S a great error message. > at > org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESock etFactory.java:755) > > at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory .java:460) > at > org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESoc ketFactory.java:130) > > at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538) > at > org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:176) > > at org.apache.catalina.connector.Connector.initialize(Connector.java:101 4) > at > org.apache.catalina.core.StandardService.initialize(StandardService.ja va:680) > > at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:7 95) > at org.apache.catalina.startup.Catalina.load(Catalina.java:524) at > org.apache.catalina.startup.Catalina.load(Catalina.java:548) at > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at > sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at > sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at > java.lang.reflect.Method.invoke(Unknown Source) at > org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261) at > org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413) > Caused by: javax.net.ssl.SSLException: No available certificate or > key corresponds to the SSL cipher suites which are enabled. at > com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(Un known > Source) at > com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(Unknown > Source) at > org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESock etFactory.java:751) > > ... 15 more Seeing the <Connector> configuration will help, here. This is an RSA key, right? It's possible that you will need to upgrade Java to get a set of protocols and > Any resolution from others who have encountered this already or > new directions to point me in would be appreciated. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJX6uBfAAoJEBzwKT+lPKRYT/YQAJ2b9pSmGpz0WZrJLFTDTJkF /KnTrhxjnairfVwN5CPYkORE82sYElc1Xmqw8MogXtSoJYKrdMQBb/WQjsAQzUCF rhg3QuI80hS8bW94943ZwkTeXIVZWSE0ncmbM+ufa3O7/cFMk6BDNyxmMA29c6zs EWxn0MwaBgjedGDdKwu7NtyE+eb/a444vKLpLDa1PvEBzSWucWVeaeAdW5Xs6oNy 8gcr3wtUpygvbSR5TQMIBrxOLANAz5MBXieUIHxs+R/RSqChgrugr/RqoFOQRBJp sGXjF1ulziLdFQDf+E+5QdjBcqQ0zLtmHuZ+n1om2bE3kKbYHTiEcVUAIUmzKm+k TgR8B4MwuUk1RzX+mD7fwMkgfudyWd2PH1+bGyWRit+GIQHvHxuh3aBDBaZX///j 4ywt7QQO1nWvjQaMyGSVz5hnlea0c2RlQqjOYzrHLLqMcvypH9NcIIV73NtpMtNY +uivW1hFx0LGQ0mty0bc8F6pZYFJFn6lGGMmTiryWDu0CHLgDHHkrvtpgDdq28UJ cqPLiDA9kKzYZJPdC5upr7ar3xVCjqY2vTUGW2urPsF3OBtA3/ziS1dncTbkCY9B +lwJn4N3gkx+TI+u7PAnGdYmhCo3+MhBM4JzxpqhXJ7LapbNhCwRGQ/KTfZZExgX a/53wM4vY1vpwCW9veON =UlMr -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
