ERR_SSL_VERSION_OR_CIPHER_MISMATCH with signed certificate in Tomcat

Question

I have a tomcat server for which I needed a signed certificate. I generated a key using

keytool -genkey ....

and then generated a CSR and sent it to my company admin.

They gave me back a CER file with the signed certificate and certificate chain.

I installed the root cert, intermediate cert and the signed cert in the keystore using keytool.

But when I use the cert in the server and connect with a browser I am getting ERR_SSL_VERSION_OR_CIPHER_MISMATCH error in chrome.

This is what I get when I use openssl to debug.

$ openssl s_client -connect localhost:18443 -debug -tls1 -msg

CONNECTED(00000003) write to 0x7fecbbc1b4d0 [0x7fecbc019000] (100 bytes => 100 (0x64)) 0000 - 16 03 01 00 5f 01 00 00-5b 03 01 5b 1c 08 e9 8a ...._...[..[.... 0010 - 69 73 dd 18 9f 58 98 08-b3 23 dd 76 89 3c b8 7b is...X...#.v.<.{ 0020 - 3e aa ea 61 d8 88 0f eb-af 52 45 00 00 2e 00 39 >..a.....RE....9 0030 - 00 38 00 35 00 16 00 13-00 0a 00 33 00 32 00 2f .8.5.......3.2./ 0040 - 00 9a 00 99 00 96 00 05-00 04 00 15 00 12 00 09 ................ 0050 - 00 14 00 11 00 08 00 06-00 03 00 ff 01 00 00 04 ................ 0060 - 00 23
.# 0064 -

TLS 1.0 Handshake [length 005f], ClientHello 01 00 00 5b 03 01 5b 1c 08 e9 8a 69 73 dd 18 9f 58 98 08 b3 23 dd 76 89 3c b8 7b 3e aa ea 61 d8 88 0f eb af 52 45 00 00 2e 00 39 00 38 00 35 00 16 00 13 00 0a 00 33 00 32 00 2f 00 9a 00 99 00 96 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 00 ff 01 00 00 04 00 23 00 00 read from 0x7fecbbc1b4d0 [0x7fecbc014600] (5 bytes => 5 (0x5)) 0000 - 15 03 01 00 02 ..... read from 0x7fecbbc1b4d0 [0x7fecbc014605] (2 bytes => 2 (0x2)) 0000 - 02 28
.( <<< TLS 1.0 Alert [length 0002], fatal handshake_failure 02 28 24316:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-64.50.7/src/ssl/s3_pkt.c:1145:SSL alert number 40 24316:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-64.50.7/src/ssl/s3_pkt.c:566:

Any ideas what I am doing wrong?

I have tried all manner of things, from google and stackoverflow.

Answer 1

check if the entry is correct

If you run keytool --list -keystore <yourkeystore> then you should get back a PrivateKeyEntry, somthing like that:

tomcat, Aug 23, 2018, PrivateKeyEntry, 
Certificate fingerprint (SHA-256): F2:BA:29:E...

import the certificate

If you have a signed certificate and private key, then you have to export them to a PKCS12 keystore and import it to a Java keystore. The signed certificate does not work without the key in the keystore.

#export to PKCS12, set password -> it has to be the same as the java keystore password in the next step
openssl pkcs12 -export -name tomcat -in cert.cer -inkey key.pem -out tomcat.p12

#import the pkcs12 keystore. make sure, both passwords are the same
keytool -importkeystore -destkeystore tomcat.keystore -srckeystore tomcat.p12 -srcstoretype pkcs12 -alias tomcat

cipher mismatch

Not sure if suitable for your problem, but perhaps will this get you closer to the solution: If there are problems with the certificate, like ERR_SSL_OBSOLETE_CIPHER you could add this in the SSL Connector in server.xml

useCipherSuitesOrder="true"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA,
TLS_SRP_SHA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA,TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA,
TLS_SRP_SHA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA"

Answer 2

The above answer helped me diagnose the cause of my "ssl or cipher mismatch" after I switched from running Tomcat inside the IntelliJ IDE and got it set up for standalone running.

I had set up the keystore for a URL other than localhost (myinitials.company.com), but was trying to access it via https://localhost. As soon as I ran keytool --list -keystore <yourkeystore>, it showed that the keystore was set up for myinitials.company.com. I changed to that host name, and got no more ERR_SSL_VERSION_OR_CIPHER_MISMATCH.

Hope this helps someone else who finds this page.