-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Peter,
On 12/21/17 2:38 AM, l...@kreuser.name wrote: > > Hi Thomas, > >> Am 21.12.2017 um 00:56 schrieb Thomas Delaney >> <tdelaney....@gmail.com>: >> >> Greetings, >> >> I am having trouble regarding google chrome's behavior to Apache >> Tomcat's SSL setup. I have been successful getting an ssl website >> to work with Apache HTTP web server, but not Apache Tomcat 8.5.24 >> on google chrome. Mozilla Firefox brings me to my site with no >> problem. >> >> When going to https://mydomain.com:8443 I recieve a message from >> Google Chrome. >> >> Google Chrome Error - This site can’t provide a secure >> connection mydomain.com uses an unsupported protocol. >> ERR_SSL_VERSION_OR_CIPHER_MISMATCH >> >> Unsupported protocol The client and server don't support a common >> SSL protocol version or cipher suite. >> >> When checking Google Chrome's Browser console in the security tab >> I recieve: Page is not secure Valid certificate secure resources >> >> Here is the following background info I have for the >> configuration I gave Apache Tomcat when setting up the 8443 >> connector >> >> Chrome Version 63.0.3239.108 (Official Build) (64-bit) >> >> Linux OS: SUSE Enterprise 12 sp1 >> >> Packages installed: >> >> - OpenSSL 1.0.2n 7 Dec 2017 - jdk version 1.7.0_79 > > That may be the culprit. > > Apparently this (old) version of Java7 will not provide in the > default modern ciphers that Chrome requires. And the config is > using the JSSE SSL implementation. But as you have TC Native and > openssl 1.0.2 you should switch to openssl. This probably isn't the problem since Thomas is using the APR connector. TLS cipher suite support (or lack thereof) from Java 1.7 is not relevant. >> - tomcat version -> apache-tomcat-8.5.24 - apr-1.6.3 - >> tomcat-native-1.2.16-src >> >> Server.xml apr connector (Certificates are signed from GoDaddy >> and are placed in the conf directory of Apache Tomcat): >> >> <Connector port="8443" >> protocol="org.apache.coyote.http11.Http11AprProtocol" >> maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName=" >> mydomain.com" > <SSLHostConfig hostName="mydomain.com" >> protocols="TLSv1,TLSv1.1,TLSv1.2"> <Certificate >> certificateKeyFile="conf/server.key" >> certificateFile="conf/server.crt" >> certificateChainFile="conf/CA_server_bundle.crt" type="RSA" /> >> </SSLHostConfig> </Connector> This looks okay to me. If you start Tomcat and then use "openssl s_client -connect <hostname>:<port>", does openssl connect? It should report the protocol and cipher suite being used to connect. If you server is externally-accessible, consider using an external TLS capabilities scanner such as that from Qualys, https://www.ssllabs.com/ssltest/ - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlo8C/0dHGNocmlzQGNo cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiayA//Ugc6nwLR2yddEvDc eqwBYhDib1AZlx2m2iju1tBngWu8Wr/x+MsHTZq+tTzKqPXrvXeTqd3AiBVZhBFf 8mwGZdf7dmcXZeCYgAVk+p7QxWpPt0hM27KJPeSXNCclrkG3REAPf5XkQBJx6Spr W7/JbejXooYl27D6+iHg+SsaMNnMuq1nPm0kCP1UyEN40bHzWqHfZbtgfi+wrKB+ ldJ/fRzMdUO+FMWosuCteHL5CoDotTUSuztWtjGA/raXgX2UJg1LvKxmhYU8mcA1 noMdpbQX6wYP/XtcKvIplHUJj8UUgZbe5bndDLw7HV2Im3wdN/659GpdAbEBN9EY O1gQRLVIyvO0XuY7RpDP7RNjbw8Sp7H1Y2Ptou3yJ3dezRQz9vi9M8i78OeEEfMp 5ZfxaN+bZoT0WteHpbR243DcFzO+HbShPEiSL0zKlltR2qzWBMXd+9XjjkIU8JeF mfqxdN6HBS5YXOT0IJcd6+uw3FTh2vPEf64K5r4hpIsWxvpmbkYqNIf4GQGuqS7c nm6gsOP6Wd/PiL67mVClJ6cN9LEPEqxs2QivK2/zzBcmYunXQK0GAbi25C5tG9Ha 4zB5VuRo0IjPmEKnRuqfZ2KcOVCQaJFbWgV0dJ9UWb7vO5662hYvSssX7jS6or5e /aq7VBV+GiEaWzZweAi8/k4R3wk= =DEHk -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
