tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "George S." <geor...@mhsoftware.com>
Subject Re: Apache Tomcat 8.5.24 SSL Configuration
Date Fri, 22 Dec 2017 18:47:19 GMT


On 12/21/2017 3:24 PM, Thomas Delaney wrote:
> Thank you for the input so far!
>
> I have used both java versions jdk 1.7.0_79 and jdk1.8.0_152 and still
> receive the same result
>
> when running the openssl s_client command I recieved this as the Cipher and
> SSL version
> Protocol  : TLSv1.2
> Cipher    : DHE-RSA-AES256-GCM-SHA384
>
> I also get a message saying  "verify error:num=20:unable to get local
> issuer certificate"
> "Verify return code: 20 (unable to get local issuer certificate)"

This may not be a meaningful error. Are you specifying the CAPath or 
CAFile arguments on the command line? See this page:

https://stackoverflow.com/questions/11548336/openssl-verify-return-code-20-unable-to-get-local-issuer-certificate.

You did double-check the path and permissions on your various 
certificate files right? Also, did you inspect your files using openssl? 
E.G.:

openssl x509 -in conf/CA_server_bundle.crt -text


You might try running Tomcat with:

|-Djavax.net.debug=ssl |

|to enable SSL Debugging. I'm not going to lie though, it can be pretty 
difficult to weed through the tons of content generated.|
||


>
> On Thu, Dec 21, 2017 at 2:31 PM, Christopher Schultz <
> chris@christopherschultz.net> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Peter,
>>
>> On 12/21/17 2:38 AM, logo@kreuser.name wrote:
>>> Hi Thomas,
>>>
>>>> Am 21.12.2017 um 00:56 schrieb Thomas Delaney
>>>> <tdelaney.vai@gmail.com>:
>>>>
>>>> Greetings,
>>>>
>>>> I am having trouble regarding google chrome's behavior to Apache
>>>> Tomcat's SSL setup. I have been successful getting an ssl website
>>>> to work with Apache HTTP web server, but not Apache Tomcat 8.5.24
>>>> on google chrome. Mozilla Firefox brings me to my site with no
>>>> problem.
>>>>
>>>> When going to https://mydomain.com:8443 I recieve a message from
>>>> Google Chrome.
>>>>
>>>> Google Chrome Error - This site can’t provide a secure
>>>> connection mydomain.com uses an unsupported protocol.
>>>> ERR_SSL_VERSION_OR_CIPHER_MISMATCH
>>>>
>>>> Unsupported protocol The client and server don't support a common
>>>> SSL protocol version or cipher suite.
>>>>
>>>> When checking Google Chrome's Browser console in the security tab
>>>> I recieve: Page is not secure Valid certificate secure resources
>>>>
>>>> Here is the following background info I have for the
>>>> configuration I gave Apache Tomcat when setting up the 8443
>>>> connector
>>>>
>>>> Chrome Version 63.0.3239.108 (Official Build) (64-bit)
>>>>
>>>> Linux OS: SUSE Enterprise 12 sp1
>>>>
>>>> Packages installed:
>>>>
>>>> - OpenSSL 1.0.2n  7 Dec 2017 - jdk version 1.7.0_79
>>> That may be the culprit.
>>>
>>> Apparently this (old) version of Java7 will not provide in the
>>> default modern ciphers that Chrome requires. And the config is
>>> using the JSSE SSL implementation. But as you have TC Native and
>>> openssl 1.0.2 you should switch to openssl.
>> This probably isn't the problem since Thomas is using the APR
>> connector. TLS cipher suite support (or lack thereof) from Java 1.7 is
>> not relevant.
>>
>>>> - tomcat version -> apache-tomcat-8.5.24 - apr-1.6.3 -
>>>> tomcat-native-1.2.16-src
>>>>
>>>> Server.xml apr connector (Certificates are signed from GoDaddy
>>>> and are placed in the conf directory of Apache Tomcat):
>>>>
>>>> <Connector port="8443"
>>>> protocol="org.apache.coyote.http11.Http11AprProtocol"
>>>> maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName="
>>>> mydomain.com" > <SSLHostConfig hostName="mydomain.com"
>>>> protocols="TLSv1,TLSv1.1,TLSv1.2"> <Certificate
>>>> certificateKeyFile="conf/server.key"
>>>> certificateFile="conf/server.crt"
>>>> certificateChainFile="conf/CA_server_bundle.crt" type="RSA" />
>>>> </SSLHostConfig> </Connector>
>> This looks okay to me. If you start Tomcat and then use "openssl
>> s_client -connect <hostname>:<port>", does openssl connect? It should
>> report the protocol and cipher suite being used to connect.
>>
>> If you server is externally-accessible, consider using an external TLS
>> capabilities scanner such as that from Qualys,
>> https://www.ssllabs.com/ssltest/
>>
>> - -chris
>> -----BEGIN PGP SIGNATURE-----
>> Comment: GPGTools - http://gpgtools.org
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlo8C/0dHGNocmlzQGNo
>> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiayA//Ugc6nwLR2yddEvDc
>> eqwBYhDib1AZlx2m2iju1tBngWu8Wr/x+MsHTZq+tTzKqPXrvXeTqd3AiBVZhBFf
>> 8mwGZdf7dmcXZeCYgAVk+p7QxWpPt0hM27KJPeSXNCclrkG3REAPf5XkQBJx6Spr
>> W7/JbejXooYl27D6+iHg+SsaMNnMuq1nPm0kCP1UyEN40bHzWqHfZbtgfi+wrKB+
>> ldJ/fRzMdUO+FMWosuCteHL5CoDotTUSuztWtjGA/raXgX2UJg1LvKxmhYU8mcA1
>> noMdpbQX6wYP/XtcKvIplHUJj8UUgZbe5bndDLw7HV2Im3wdN/659GpdAbEBN9EY
>> O1gQRLVIyvO0XuY7RpDP7RNjbw8Sp7H1Y2Ptou3yJ3dezRQz9vi9M8i78OeEEfMp
>> 5ZfxaN+bZoT0WteHpbR243DcFzO+HbShPEiSL0zKlltR2qzWBMXd+9XjjkIU8JeF
>> mfqxdN6HBS5YXOT0IJcd6+uw3FTh2vPEf64K5r4hpIsWxvpmbkYqNIf4GQGuqS7c
>> nm6gsOP6Wd/PiL67mVClJ6cN9LEPEqxs2QivK2/zzBcmYunXQK0GAbi25C5tG9Ha
>> 4zB5VuRo0IjPmEKnRuqfZ2KcOVCQaJFbWgV0dJ9UWb7vO5662hYvSssX7jS6or5e
>> /aq7VBV+GiEaWzZweAi8/k4R3wk=
>> =DEHk
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>

-- 
George S.
*MH Software, Inc.*
Voice: 303 438 9585
http://www.mhsoftware.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message