tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason Hall <jason.h...@mchsi.com>
Subject Re: Apache Tomcat 8.5.24 SSL Configuration
Date Thu, 21 Dec 2017 22:29:15 GMT

----- Original Message -----
From: Thomas Delaney <tdelaney.vai@gmail.com>
To: Tomcat Users List <users@tomcat.apache.org>
Sent: Thu, 21 Dec 2017 17:24:06 -0500 (EST)
Subject: Re: Apache Tomcat 8.5.24 SSL Configuration

Thank you for the input so far!

I have used both java versions jdk 1.7.0_79 and jdk1.8.0_152 and still
receive the same result

when running the openssl s_client command I recieved this as the Cipher and
SSL version
Protocol  : TLSv1.2
Cipher    : DHE-RSA-AES256-GCM-SHA384

I also get a message saying  "verify error:num=20:unable to get local
issuer certificate"
"Verify return code: 20 (unable to get local issuer certificate)"

On Thu, Dec 21, 2017 at 2:31 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Peter,
>
> On 12/21/17 2:38 AM, logo@kreuser.name wrote:
> >
> > Hi Thomas,
> >
> >> Am 21.12.2017 um 00:56 schrieb Thomas Delaney
> >> <tdelaney.vai@gmail.com>:
> >>
> >> Greetings,
> >>
> >> I am having trouble regarding google chrome's behavior to Apache
> >> Tomcat's SSL setup. I have been successful getting an ssl website
> >> to work with Apache HTTP web server, but not Apache Tomcat 8.5.24
> >> on google chrome. Mozilla Firefox brings me to my site with no
> >> problem.
> >>
> >> When going to https://mydomain.com:8443 I recieve a message from
> >> Google Chrome.
> >>
> >> Google Chrome Error - This site can’t provide a secure
> >> connection mydomain.com uses an unsupported protocol.
> >> ERR_SSL_VERSION_OR_CIPHER_MISMATCH
> >>
> >> Unsupported protocol The client and server don't support a common
> >> SSL protocol version or cipher suite.
> >>
> >> When checking Google Chrome's Browser console in the security tab
> >> I recieve: Page is not secure Valid certificate secure resources
> >>
> >> Here is the following background info I have for the
> >> configuration I gave Apache Tomcat when setting up the 8443
> >> connector
> >>
> >> Chrome Version 63.0.3239.108 (Official Build) (64-bit)
> >>
> >> Linux OS: SUSE Enterprise 12 sp1
> >>
> >> Packages installed:
> >>
> >> - OpenSSL 1.0.2n  7 Dec 2017 - jdk version 1.7.0_79
> >
> > That may be the culprit.
> >
> > Apparently this (old) version of Java7 will not provide in the
> > default modern ciphers that Chrome requires. And the config is
> > using the JSSE SSL implementation. But as you have TC Native and
> > openssl 1.0.2 you should switch to openssl.
>
> This probably isn't the problem since Thomas is using the APR
> connector. TLS cipher suite support (or lack thereof) from Java 1.7 is
> not relevant.
>
> >> - tomcat version -> apache-tomcat-8.5.24 - apr-1.6.3 -
> >> tomcat-native-1.2.16-src
> >>
> >> Server.xml apr connector (Certificates are signed from GoDaddy
> >> and are placed in the conf directory of Apache Tomcat):
> >>
> >> <Connector port="8443"
> >> protocol="org.apache.coyote.http11.Http11AprProtocol"
> >> maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName="
> >> mydomain.com" > <SSLHostConfig hostName="mydomain.com"
> >> protocols="TLSv1,TLSv1.1,TLSv1.2"> <Certificate
> >> certificateKeyFile="conf/server.key"
> >> certificateFile="conf/server.crt"
> >> certificateChainFile="conf/CA_server_bundle.crt" type="RSA" />
> >> </SSLHostConfig> </Connector>
>
> This looks okay to me. If you start Tomcat and then use "openssl
> s_client -connect <hostname>:<port>", does openssl connect? It should
> report the protocol and cipher suite being used to connect.
>
> If you server is externally-accessible, consider using an external TLS
> capabilities scanner such as that from Qualys,
> https://www.ssllabs.com/ssltest/
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlo8C/0dHGNocmlzQGNo
> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiayA//Ugc6nwLR2yddEvDc
> eqwBYhDib1AZlx2m2iju1tBngWu8Wr/x+MsHTZq+tTzKqPXrvXeTqd3AiBVZhBFf
> 8mwGZdf7dmcXZeCYgAVk+p7QxWpPt0hM27KJPeSXNCclrkG3REAPf5XkQBJx6Spr
> W7/JbejXooYl27D6+iHg+SsaMNnMuq1nPm0kCP1UyEN40bHzWqHfZbtgfi+wrKB+
> ldJ/fRzMdUO+FMWosuCteHL5CoDotTUSuztWtjGA/raXgX2UJg1LvKxmhYU8mcA1
> noMdpbQX6wYP/XtcKvIplHUJj8UUgZbe5bndDLw7HV2Im3wdN/659GpdAbEBN9EY
> O1gQRLVIyvO0XuY7RpDP7RNjbw8Sp7H1Y2Ptou3yJ3dezRQz9vi9M8i78OeEEfMp
> 5ZfxaN+bZoT0WteHpbR243DcFzO+HbShPEiSL0zKlltR2qzWBMXd+9XjjkIU8JeF
> mfqxdN6HBS5YXOT0IJcd6+uw3FTh2vPEf64K5r4hpIsWxvpmbkYqNIf4GQGuqS7c
> nm6gsOP6Wd/PiL67mVClJ6cN9LEPEqxs2QivK2/zzBcmYunXQK0GAbi25C5tG9Ha
> 4zB5VuRo0IjPmEKnRuqfZ2KcOVCQaJFbWgV0dJ9UWb7vO5662hYvSssX7jS6or5e
> /aq7VBV+GiEaWzZweAi8/k4R3wk=
> =DEHk
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Just a guess, but does the whole chain need to leaded.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message