8

The latest versions of Chrome and Firefox have disabled SSLv3.0 by default, due to the POODLE vulnerability. This leads to the following error when I attempt to open a site I have set up (and which was working fine):

With Chrome: 

A secure connection cannot be established because this site uses an unsupported protocol. Error code: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

With Firefox:

Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)

I have researched this issue with Chrome, Firefox, Tomcat and more Tomcat docs. I understand the problem, but I can't find the documentation to configure Tomcat 7 to use only the TLS ciphers and protocols that are now safe. I'm not sure if I need to create a new cert/keypair, change my server.xml, or install a new version of Tomcat, or what. I'm not even sure what versions of cipher/protocol are now considered "acceptable" by these browsers. Can anyone point me to the docs or an example setup for this?

I'm using OpenJDK 1.7 on Ubuntu 14.04 with Tomcat 7.

Here's my cert file (redacted):

Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry Alias name: something Creation date: May 4, 2013 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=something, OU=something, O=something, L=something, ST=something, C=something Issuer: CN=something, OU=something, O=something, L=something, ST=something, C=something Serial number: ... Valid from: Sat May 04 17:28:21 MST 2013 until: Tue May 02 17:28:21 MST 2023 Certificate fingerprints: MD5: ... SHA1: ... SHA256: ... Signature algorithm name: SHA1withDSA Version: 3

Here's my server.xml entry for HTTPS support:

<Connector port="8484" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" keystoreFile="/path/mykeystore" keystorePass="password" clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLS" />
Improve this question

3 Answers 3

Reset to default
16

I had the problem on a new installation using Tomcat 8.0.23 and Java 8 build 1.8.0_45. I finally discovered that I had failed to specify the -keyalg RSA option when I created my self signed certificate with the Java keytool utility. I deleted the old key store and made sure to include that option when I made a new keystore. That fixed the problem.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thanks. I was getting this error in chrome until I added the RSA flag to look something like this: keytool -genkey -alias tomcat -keypass localhost -keystore certificates.keystore -storepass localhost -keyalg RSA
Thanks @MrZcxfph Your fix enabled me to get TLS working on Fedora 24 + Tomcat 8.0.36 + Java 1.8.0_111 after half a day of frustrations
after I tried everything on internet for 1 day, this helped me. Also tnx @false_memories for the example command
3

The complete Tomcat server.xml Connector element:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="conf/keystore.jks" keystorePass="changeit" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA" />

This works for me, I am using JRE1.7 and Tomcat7 server also. But setting sslEnabledProtocols not work for me, here using sslProtocol="TLS" instead, and specify the ciphering algorithm explicitly.

Improve this answer

Comments

0

You need to widen sslEnabledProtocols to include TLSv1 &ff, depending on your Java version.

You specify ciphers with the ciphers element of the connector.

Nothing to do with the certificate.

Improve this answer

4 Comments

Thank you for your response - but what are the actual values required for each field, though? For example, for sslEnabledProtocols I have tried "TLS", "TLSv1", "TLSv1.1", "TLSv1.2" and "TLSv1.1,TLSv1.2" with no success. I don't get any error messages in the Tomcat log, but the browser(s) still will not connect.
Try sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" as described in wiki.apache.org/tomcat/Security/POODLE
I actually wound up generating a new self-signed certificate and that solved the problem. I have no idea why the old one stopped working but thank you, I'm marking your answer correct.
Having same problem. It is nowhere mentioned here WHICH ciphers I should mention in the ciphers attribute. adding the sslEnabledProtocols attribute alone (with the specified value) isn't enough.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.