tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Apache Tomcat 8.5.24 SSL Configuration
Date Fri, 22 Dec 2017 18:03:46 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Thomas,

On 12/21/17 5:24 PM, Thomas Delaney wrote:
> Thank you for the input so far!
> 
> I have used both java versions jdk 1.7.0_79 and jdk1.8.0_152 and
> still receive the same result
> 
> when running the openssl s_client command I recieved this as the
> Cipher and SSL version Protocol  : TLSv1.2 Cipher    :
> DHE-RSA-AES256-GCM-SHA384

Good, OpenSSL can connect which means that TLS is at least set up
properly and running.

> I also get a message saying  "verify error:num=20:unable to get
> local issuer certificate" "Verify return code: 20 (unable to get
> local issuer certificate)"

That's not a problem, especially if you are using a self-signed
certificate or a CA that OpenSSL doesn't recognize.

If you can't use SSLLabs's test, you might be able to use this one:
https://wiki.apache.org/tomcat/tools/SSLTest.java
(and)
https://wiki.apache.org/tomcat/tools/SSLUtils.java

- -chris

> On Thu, Dec 21, 2017 at 2:31 PM, Christopher Schultz < 
> chris@christopherschultz.net> wrote:
> 
> Peter,
> 
> On 12/21/17 2:38 AM, logo@kreuser.name wrote:
>>>> 
>>>> Hi Thomas,
>>>> 
>>>>> Am 21.12.2017 um 00:56 schrieb Thomas Delaney 
>>>>> <tdelaney.vai@gmail.com>:
>>>>> 
>>>>> Greetings,
>>>>> 
>>>>> I am having trouble regarding google chrome's behavior to
>>>>> Apache Tomcat's SSL setup. I have been successful getting
>>>>> an ssl website to work with Apache HTTP web server, but not
>>>>> Apache Tomcat 8.5.24 on google chrome. Mozilla Firefox
>>>>> brings me to my site with no problem.
>>>>> 
>>>>> When going to https://mydomain.com:8443 I recieve a message
>>>>> from Google Chrome.
>>>>> 
>>>>> Google Chrome Error - This site can’t provide a secure 
>>>>> connection mydomain.com uses an unsupported protocol. 
>>>>> ERR_SSL_VERSION_OR_CIPHER_MISMATCH
>>>>> 
>>>>> Unsupported protocol The client and server don't support a
>>>>> common SSL protocol version or cipher suite.
>>>>> 
>>>>> When checking Google Chrome's Browser console in the
>>>>> security tab I recieve: Page is not secure Valid
>>>>> certificate secure resources
>>>>> 
>>>>> Here is the following background info I have for the 
>>>>> configuration I gave Apache Tomcat when setting up the
>>>>> 8443 connector
>>>>> 
>>>>> Chrome Version 63.0.3239.108 (Official Build) (64-bit)
>>>>> 
>>>>> Linux OS: SUSE Enterprise 12 sp1
>>>>> 
>>>>> Packages installed:
>>>>> 
>>>>> - OpenSSL 1.0.2n  7 Dec 2017 - jdk version 1.7.0_79
>>>> 
>>>> That may be the culprit.
>>>> 
>>>> Apparently this (old) version of Java7 will not provide in
>>>> the default modern ciphers that Chrome requires. And the
>>>> config is using the JSSE SSL implementation. But as you have
>>>> TC Native and openssl 1.0.2 you should switch to openssl.
> 
> This probably isn't the problem since Thomas is using the APR 
> connector. TLS cipher suite support (or lack thereof) from Java 1.7
> is not relevant.
> 
>>>>> - tomcat version -> apache-tomcat-8.5.24 - apr-1.6.3 - 
>>>>> tomcat-native-1.2.16-src
>>>>> 
>>>>> Server.xml apr connector (Certificates are signed from
>>>>> GoDaddy and are placed in the conf directory of Apache
>>>>> Tomcat):
>>>>> 
>>>>> <Connector port="8443" 
>>>>> protocol="org.apache.coyote.http11.Http11AprProtocol" 
>>>>> maxThreads="150" SSLEnabled="true"
>>>>> defaultSSLHostConfigName=" mydomain.com" > <SSLHostConfig
>>>>> hostName="mydomain.com" protocols="TLSv1,TLSv1.1,TLSv1.2">
>>>>> <Certificate certificateKeyFile="conf/server.key" 
>>>>> certificateFile="conf/server.crt" 
>>>>> certificateChainFile="conf/CA_server_bundle.crt" type="RSA"
>>>>> /> </SSLHostConfig> </Connector>
> 
> This looks okay to me. If you start Tomcat and then use "openssl 
> s_client -connect <hostname>:<port>", does openssl connect? It
> should report the protocol and cipher suite being used to connect.
> 
> If you server is externally-accessible, consider using an external
> TLS capabilities scanner such as that from Qualys, 
> https://www.ssllabs.com/ssltest/
> 
> -chris
>> 
>> ---------------------------------------------------------------------
>>
>> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>> 
>> 
> 
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlo9SQIdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFinRxAAgr+i0PtFCGPAqWJ7
Y0VvfFSGPsQCiUz3qkp9mCiXCl87TLy5PrbpPT9avDyTjjtA1gbl16goc4jtB5zt
zcjZuasQkwz9cDMkmlJ4T0USd/TfepJXbssaqi7tLUxFM0dBChoP7uzprO7HF3hE
yqGD7nm1YEDcSgVqXrx8FkHA5D9hY1yP47djPkJL9/yxWunc1BqeoJ2JMoXLX7Sx
78LYywT1oYm1fj+UP6wacKDU/6gZINBQsLRmCVkpE4iYlyUnswdo4FChSQb9HTMp
pK0nyCVXG4RWPO90qCdSbuTZmIy0WvHxZL9O6CSkBdIycz09nYDVxTQQuyJusrYh
35BGCxzAgRfoj9bu04O6ezXoIpmWXLB48cFu5BrhX2I6/WXy/a9SSCzgaztj9rGS
X/9TFrI7DvOkMw0VCI162159QpuzcpRG0H13VGq36ldqdfrQ0DUYSqSwuS36I+2P
aIJ2vY6T0P7G5KBg4uqKyTDTwNq5zANRpJqMfQkQHD3fh0tHT35dBWj46aFBtXrq
YUT2O99eA459XMGKl6j85d4LU3aSU35EK7xSqUQmWGHpgjDXMcktcF9opV3Tdb1h
n13Yjr6Oyj0M4XUYNSAI73FXgd7VP5x51ttTI4hgXdPbGz/4e4QYpDmNmfLRhtvP
wsWEKfnZA/BDDX3ES3x0cioAzV8=
=zAMc
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message