tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Errors establishing secure connections with tomcat 8.5.15
Date Thu, 13 Jul 2017 20:31:59 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Kevin,

On 7/11/17 3:48 PM, Kevin Mango wrote:
> 
> 
> -----Original Message----- From: Christopher Schultz
> [mailto:chris@christopherschultz.net] Sent: Tuesday, July 11, 2017
> 1:58 PM To: users@tomcat.apache.org Subject: Re: Errors
> establishing secure connections with tomcat 8.5.15
> 
> Kevin,
> 
> On 7/7/17 12:40 PM, Kevin Mango wrote:
>> I was able to resolve this by using 
>> "-Dcom.sun.net.ssl.enableECC=false" when starting tomcat to
>> disable the use of Elliptic Curves, the only issue now is that
>> Google Chrome is having issues finding a common cipher suite to
>> use, giving the error ERR_SSL_VERSION_OR_CIPHER_MISMATCH.
> 
> Your configuration does not include any specification for cipher
> suites:
> 
>>>> Here is the connector in our server.xml file:
>>>> 
>>>> <Connector port="8443" 
>>>> protocol="org.apache.coyote.http11.Http11NioProtocol" 
>>>> maxThreads="200" scheme="https" secure="true" 
>>>> SSLEnabled="true" defaultSSLHostConfigName="<hostname> "
>>>>> 
>>>> <SSLHostConfig hostname="<hostname> " protocols="TLSv1.2" 
>>>> sslProtocol="TLSv1.2"> <Certificate 
>>>> certificateKeystoreFile="<pfx cert location and full file 
>>>> name>" certificateKeystorePassword="<password>" 
>>>> certificateKeystoreType="PKCS12" type="RSA"/>
>>>> </SSLHostConfig>
>>>> 
>>>> </Connector>
> 
> So it would be unusual for a client and server not to be able to
> agree on a cipher suite.
> 
> Are you adjusting the available cipher suites any other way (e.g. 
> system property that affects JSSE, edits to
> $JAVA_HOME/jre/security/*.policy, etc.)?
> 
> What kind of certificate are you using? Is it an ECC certificate
> (rather than the more common RSA certificates)?
> 
> -chris 
> ---------------------------------------------------------------------
>
> 
Hi Chris,
> 
> I 'm not adjusting the cipher suites in any way. My *.policy files
> are the default ones that came with the JDK installation, same with
> the .security file. The only thing I changed in that directory was
> adding the Unlimited Strength policy JAR's.
> 
> As for the certificates, we are using self-signed RSA
> certificates.
> 
> On our older machines that are running Tomcat 7 and JDK 7, these
> certificates work fine for our purposes and are still working. In
> these cases the handshake uses the cipher
> ECDHE-RSA-AES128-GCM-SHA256. But with Tomcat 8.5.15 and JDK 8 we
> have been getting error's with unsupported elliptic curve, even
> when it uses the same or similar cipher suites.
> 
> Additionally I have tried debugging this with OpenSSL, but when
> trying to connect it gives an error message "SSL
> routines:tls_process_ske_ecdhe:wrong
> curve:ssl\statem\statem_clnt.c:2057:". Even when specifying curves
> and cipher suites into the OpenSSL client connection, I continue to
> get this error.
> 
> The only thing that has come close to working for us is by using
> "-Dcom.sun.net.ssl.enableECC=false" when starting Tomcat to disable
> all EC ciphers, but Google Chrome won't accept the connection due
> to being unable to find a common cipher suite.

Can you try "repairing" your Java installation to restore the original
policy files? I've added the Unlimited Cipher Strength Policy Files
before and it's fairly straightforward, but I'm wondering if maybe you
botched the installation of those and broke the JRE.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZZ9i/AAoJEBzwKT+lPKRYNc4QALtN5E8EXuPDhXh7p+MhrSZk
y8/YWeGo10mFS6mvD89QiHrYl6dzvmu9EXctlGCsQ+tS/u/4at3T9wN/eqx9E5X2
UokD2NoaC1P8D/dWNGq2c+p0UONX6g//w1UNeS4//b2OfW/AfiSut45jifiaNI+G
2iXIiT90cv9JzvRKPD3X48SH2SXm55SqMz+EzV59ajR8HDJRflEKIzrqCV/5pXuI
oT9Sxbh++daE78+h0TgHI0d2O9sWJQRlswzg5Kmt9pJ3Yu08sgKP1hFADfZeKM/b
XeOVh+BqwnkEQhwubO5aL6UOKaww2IGhZZiWJo0sOzP/uGTiDfe4Mk8vw1Sa1hXo
H90sSaBAsGHQE65VjDAJqOMlqYDcckO89wHbBmcS4f19VMiQwv8qHzn4n1ci+jpg
z/jkmpHNFkXoHWL0fF5ZJj7CrVoJ6NGihE1qPziyxveWiPex7G1gGrMsrFGPea+i
2BdAil4FnM5YUOwRaThGsS88JHbfRalh/N3N+EhxOuubNT13z/YWul5rdzr1XfRC
fzWiJS0Mu3nUPV5FVjt9sQ6AVeviw3vNpQ6uNZbnRahl9W7y4mCLxe4EmNmE6VwB
/O+xBlCHyb69ONGCJTAPPUrYwN+hMz9bjh0R2Quq+bngt6ns/IvR10ZAulKvni+j
jY52Cnq+IVL+GjY5Mn18
=pmjM
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message