2

I have a Tomcat 7 server on Ubuntu 14.04 (Java OpenJDK 1.7) which has been working fine for over a year, with no problems. A few months ago it stopped being accessible wtih Chrome, I dealt with that by switching to Firefox to access this particular site. Recently (a few days) ago it stopped being accessible with Firefox.

I have consulted this question which is basically the same problem as I'm having, but that solution no longer works for some reason. As of yesterday both Chrome 41 and Firefox 37 are not showing my site. On Chrome I get this response:

A secure connection cannot be established because this site uses an unsupported protocol.
Error code: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

On Firefox I get this:

Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) 

I have tried all the combinations of protocols that the answers and references recommend for Tomcat 7, but no dice. It appears that the browser makers have tightened down security enough that these parameters no longer work:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
           maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
           clientAuth="false" sslEnabledProtocols = "TLSv1,TLSv1.1,TLSv1.2"  />

I've been experimenting with different combinations of parameters all day and no luck. I've also been able to replicate the problem on two different Tomcat installations (the second on Windows), so I'm pretty sure it's not a machine problem.

Before I give up and install Java 8 and Tomcat 8, which will wipe out the rest of my weekend, I thought I'd ask about possible solutions here.

user3120173
  • 123
  • 1
  • 1
  • 6
  • Apparently, there are no matching ciphers for your client and your server. Have you tried to remove the restrictions on TLS on server side? Using `openssl s_client -tls1` etc (see manpage for other options) you can test the compatibility of the server for a certain protocol. – sebix Apr 05 '15 at 10:08
  • I started a year or two ago (before Heartbleed, before POODLE) so the server was a plain-vanilla SSL install for years. The only odd thing that OpenSSL reported was that it thinks my self-signed cert has expired - odd, since keytool tells me it's good till 2023. I'll try generating a new cert and if that doesn't work, I guess I'm into installing Tomcat 8 and praying. Thanks for your help - if you want to post your comment as an answer, I'll mark it correct since it did actually help me. – user3120173 Apr 05 '15 at 15:57
  • I have no idea of the state of crypto on Tomcat in any version, I only know that Java's SSL/TLS implementation is in a bad state. But I can't imagine, that Java1.7 and Tomcat 7, which are part of Ubuntu 14.04, don't have too weak ciphers. Or your clients are too restrictively configured, but I assume, you haven't done that. – sebix Apr 05 '15 at 17:03
  • Generating a new cert appears to have solved the problem. I have no idea why a cert that's good until 2023 would suddenly be marked as "expired", but what the heck, a win is a win. As I said, if you'll post your comment as an answer I'll mark it correct. – user3120173 Apr 05 '15 at 17:59

2 Answers2

5

To debug the situation you can use the command line tools of openssl, especially openssl s_client. By adding the options -tls1, -tls1_1 and -tls1_2 you can test compatibility for the protocols, and with -cipher [cipherlist] for ciphers. For example

openssl s_client -connect example.com:443 -tls1

You will get detailed information and possibly warnings about the connection, the certificate and features (like Renegotiation, Compression, etc.). This will help to debug the issue.

sebix
  • 4,175
  • 2
  • 25
  • 45
0

to enable Tls in tomcat, add this parameter sslEnabledProtocols="TLSv1.X" in Connector section of server.xml file of tomcat at tomcat/conf/ folder. for eg: to configure TLSv1.1 follow the below configuration.

    <Connector port="8443" 
 protocol="org.apache.coyote.http11.Http11Protocol"
 maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
 keystoreFile="ssl/.keystore" keystorePass="changeit"
 clientAuth="false" sslProtocol="SSL" sslEnabledProtocols="TLSv1.1" />

restart the server