Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 8B14C200D51 for ; Fri, 22 Dec 2017 19:03:54 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 89616160C1A; Fri, 22 Dec 2017 18:03:54 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id A7BDD160C19 for ; Fri, 22 Dec 2017 19:03:53 +0100 (CET) Received: (qmail 3827 invoked by uid 500); 22 Dec 2017 18:03:51 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 3816 invoked by uid 99); 22 Dec 2017 18:03:51 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 22 Dec 2017 18:03:51 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 66B2D1805E0 for ; Fri, 22 Dec 2017 18:03:51 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1 X-Spam-Level: * X-Spam-Status: No, score=1 tagged_above=-999 required=6.31 tests=[KAM_LAZY_DOMAIN_SECURITY=1, SPF_HELO_PASS=-0.001, WEIRD_PORT=0.001] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id d97mfuIAdyd2 for ; Fri, 22 Dec 2017 18:03:49 +0000 (UTC) Received: from mailbox.servedge.com (li1281-212.members.linode.com [45.79.182.212]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 779E35F65C for ; Fri, 22 Dec 2017 18:03:48 +0000 (UTC) Received: (qmail 24282 invoked by uid 513); 22 Dec 2017 12:03:47 -0600 Received: from pool-173-66-116-184.washdc.fios.verizon.net (HELO Christophers-iMac.local) (chris@christopherschultz.net@173.66.116.184) by mailbox.servedge.com with ECDHE-RSA-AES128-GCM-SHA256 encrypted SMTP; 22 Dec 2017 12:03:47 -0600 Subject: Re: Apache Tomcat 8.5.24 SSL Configuration To: users@tomcat.apache.org References: <687C6C02-1B9A-4D41-9459-448A4281A970@kreuser.name> <90c6d47d-b355-c27f-ba5b-91b0bb690099@christopherschultz.net> From: Christopher Schultz Message-ID: <83deb31b-7b7c-736d-83af-887c44d802c5@christopherschultz.net> Date: Fri, 22 Dec 2017 13:03:46 -0500 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit archived-at: Fri, 22 Dec 2017 18:03:54 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Thomas, On 12/21/17 5:24 PM, Thomas Delaney wrote: > Thank you for the input so far! > > I have used both java versions jdk 1.7.0_79 and jdk1.8.0_152 and > still receive the same result > > when running the openssl s_client command I recieved this as the > Cipher and SSL version Protocol : TLSv1.2 Cipher : > DHE-RSA-AES256-GCM-SHA384 Good, OpenSSL can connect which means that TLS is at least set up properly and running. > I also get a message saying "verify error:num=20:unable to get > local issuer certificate" "Verify return code: 20 (unable to get > local issuer certificate)" That's not a problem, especially if you are using a self-signed certificate or a CA that OpenSSL doesn't recognize. If you can't use SSLLabs's test, you might be able to use this one: https://wiki.apache.org/tomcat/tools/SSLTest.java (and) https://wiki.apache.org/tomcat/tools/SSLUtils.java - -chris > On Thu, Dec 21, 2017 at 2:31 PM, Christopher Schultz < > chris@christopherschultz.net> wrote: > > Peter, > > On 12/21/17 2:38 AM, logo@kreuser.name wrote: >>>> >>>> Hi Thomas, >>>> >>>>> Am 21.12.2017 um 00:56 schrieb Thomas Delaney >>>>> : >>>>> >>>>> Greetings, >>>>> >>>>> I am having trouble regarding google chrome's behavior to >>>>> Apache Tomcat's SSL setup. I have been successful getting >>>>> an ssl website to work with Apache HTTP web server, but not >>>>> Apache Tomcat 8.5.24 on google chrome. Mozilla Firefox >>>>> brings me to my site with no problem. >>>>> >>>>> When going to https://mydomain.com:8443 I recieve a message >>>>> from Google Chrome. >>>>> >>>>> Google Chrome Error - This site can’t provide a secure >>>>> connection mydomain.com uses an unsupported protocol. >>>>> ERR_SSL_VERSION_OR_CIPHER_MISMATCH >>>>> >>>>> Unsupported protocol The client and server don't support a >>>>> common SSL protocol version or cipher suite. >>>>> >>>>> When checking Google Chrome's Browser console in the >>>>> security tab I recieve: Page is not secure Valid >>>>> certificate secure resources >>>>> >>>>> Here is the following background info I have for the >>>>> configuration I gave Apache Tomcat when setting up the >>>>> 8443 connector >>>>> >>>>> Chrome Version 63.0.3239.108 (Official Build) (64-bit) >>>>> >>>>> Linux OS: SUSE Enterprise 12 sp1 >>>>> >>>>> Packages installed: >>>>> >>>>> - OpenSSL 1.0.2n 7 Dec 2017 - jdk version 1.7.0_79 >>>> >>>> That may be the culprit. >>>> >>>> Apparently this (old) version of Java7 will not provide in >>>> the default modern ciphers that Chrome requires. And the >>>> config is using the JSSE SSL implementation. But as you have >>>> TC Native and openssl 1.0.2 you should switch to openssl. > > This probably isn't the problem since Thomas is using the APR > connector. TLS cipher suite support (or lack thereof) from Java 1.7 > is not relevant. > >>>>> - tomcat version -> apache-tomcat-8.5.24 - apr-1.6.3 - >>>>> tomcat-native-1.2.16-src >>>>> >>>>> Server.xml apr connector (Certificates are signed from >>>>> GoDaddy and are placed in the conf directory of Apache >>>>> Tomcat): >>>>> >>>>> >>>> protocol="org.apache.coyote.http11.Http11AprProtocol" >>>>> maxThreads="150" SSLEnabled="true" >>>>> defaultSSLHostConfigName=" mydomain.com" > >>>> hostName="mydomain.com" protocols="TLSv1,TLSv1.1,TLSv1.2"> >>>>> >>>> certificateFile="conf/server.crt" >>>>> certificateChainFile="conf/CA_server_bundle.crt" type="RSA" >>>>> /> > > This looks okay to me. If you start Tomcat and then use "openssl > s_client -connect :", does openssl connect? It > should report the protocol and cipher suite being used to connect. > > If you server is externally-accessible, consider using an external > TLS capabilities scanner such as that from Qualys, > https://www.ssllabs.com/ssltest/ > > -chris >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >> For additional commands, e-mail: users-help@tomcat.apache.org >> >> > -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlo9SQIdHGNocmlzQGNo cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFinRxAAgr+i0PtFCGPAqWJ7 Y0VvfFSGPsQCiUz3qkp9mCiXCl87TLy5PrbpPT9avDyTjjtA1gbl16goc4jtB5zt zcjZuasQkwz9cDMkmlJ4T0USd/TfepJXbssaqi7tLUxFM0dBChoP7uzprO7HF3hE yqGD7nm1YEDcSgVqXrx8FkHA5D9hY1yP47djPkJL9/yxWunc1BqeoJ2JMoXLX7Sx 78LYywT1oYm1fj+UP6wacKDU/6gZINBQsLRmCVkpE4iYlyUnswdo4FChSQb9HTMp pK0nyCVXG4RWPO90qCdSbuTZmIy0WvHxZL9O6CSkBdIycz09nYDVxTQQuyJusrYh 35BGCxzAgRfoj9bu04O6ezXoIpmWXLB48cFu5BrhX2I6/WXy/a9SSCzgaztj9rGS X/9TFrI7DvOkMw0VCI162159QpuzcpRG0H13VGq36ldqdfrQ0DUYSqSwuS36I+2P aIJ2vY6T0P7G5KBg4uqKyTDTwNq5zANRpJqMfQkQHD3fh0tHT35dBWj46aFBtXrq YUT2O99eA459XMGKl6j85d4LU3aSU35EK7xSqUQmWGHpgjDXMcktcF9opV3Tdb1h n13Yjr6Oyj0M4XUYNSAI73FXgd7VP5x51ttTI4hgXdPbGz/4e4QYpDmNmfLRhtvP wsWEKfnZA/BDDX3ES3x0cioAzV8= =zAMc -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org