Reputation: 1220
Tomcat8 SSL connector
I followed the official tutorial to install ssl on tomcat8 but my browser is giving me a ERR_SSL_VERSION_OR_CIPHER_MISMATCH error.
First of all I give you the informations about the server :
- ip : 10.1.5.55
- Tomcat port : 8200
- Java version : 1.8.0_121
- Tomcat Version : Apache Tomcat/8.5.11
- Servlet Specification Version : 3.1
- JSP version : 2.3
I use https://10.1.5.55:8200/ as url to connect to my server (which is working with the http protocol)
The first thing which confused me was the fact that all tutorial are talking about connector like :
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8443" .../>
But the basic config file server.xml provides me this template :
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
certificateFile="conf/localhost-rsa-cert.pem"
certificateChainFile="conf/localhost-rsa-chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
Anyway I followed up the tutorial and generated my keystore under E:\keys :
keytool -genkey -alias myapp -keystore myapp-keystore
In First and Last Name I typed : 10.1.5.55:8200 Password : changeit I pressed return to get the same password for the key.
Then I wrote my connector like it (I modified the http port to run on 8199) :
<Connector
port="8200"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true"
maxThreads="300"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
keystoreFile="E:\keys\myapp-keystore"
keystorePass="changeit"
/>
But I got the error at this point.
Now there are all solutions I tried :
- try one by one all TLS protocol (v1, v1.1, v1.2, SSLv3)
- Change first and last name of keystore by 10.1.5.55 lonely
- try protocol="HTTP/1.1", protocol org...Http11Nio2Protocol
And finally I tried to add ciphers. Here is the list I used :
ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
TLS_ECDH_RSA_WITH_RC4_128_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_EMPTY_RENEGOTIATION_INFO_SCSVF
"
I got this list from here and here I learned that Tomcat7 w/ Java7 works differently than Tomcat8 w/ Java8. I tried, as it's recommended here, to remove "sslProtocol" and add "useServerCipherSuitesOrder" but nothing worked, always the same error from my browser.
Please someone can tell me how to solves this ?
Upvotes: 2
Views: 792
Answers (1)
Reputation: 39241
You are generating a DSA certificate of 1024 bits and Chrome stops/stopped supporting DSA(DSS) as shown also here or here. Try to generate a RSA certificate of 2048 bits
Replace this command
keytool -genkey -alias myapp -keystore myapp-keystore
with
keytool -genkey -alias myapp -keystore myapp-keystore -keyalg RSA
Upvotes: 3
Related Questions
- How to configure Tomcat SSLHostConfig correctly?
- Configured SSL on Tomcat 8 and Connection Times Out
- Tomcat 8 configure multiple SSL connectors
- SSL not working for Tomcat 8
- Tomcat + SSL configuration + Client
- How to configure SSL certificate on Tomcat 6?
- Configure an SSL connector for Tomcat, invoked by eclipse
- SSL Tomcat Configuration
- Configuring SSL with tomcat
- SSL on Tomcat 6.0