Tomcat 6 ERR_SSL_VERSION_OR_CIPHER_MISMATCH / ssl_error_no_cypher_overlap

StackOverflow https://stackoverflow.com/questions/14362819

  •  16-01-2022
  •  | 
  •  

Domanda

I’ve trouble to use a browser for accessing my SSL/TLS enabled tomcat-6.0.36-windows-x64 server. It works fine with openssl but not with any browser.

Initializing looks fine:

16.01.2013 16:45:09 org.apache.coyote.http11.Http11AprProtocol init

INFO: Initializing Coyote HTTP/1.1 on http-8443

Also openSSL: openssl s_client -tls1 -connect localhost:8443: Result:

New, TLSv1/SSLv3, Cipher is ECDH-ECDSA-AES256-SHA

Server public key is 256 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

Protocol  : TLSv1

Cipher : ECDH-ECDSA-AES256-SHA

Only web-browsers don’t work:

Firefox 15.0.1 says: ssl_error_no_cypher_overlap

Chrome 24.0.1312.52 m: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

That’s the tomcat configuration:

Connector port="8443" maxHttpHeaderSize="8192"
protocol="org.apache.coyote.http11.Http11AprProtocol" maxThreads="150" scheme="https" secure="true"
SSLProtocol="all"
enableLookups="false" disableUploadTimeout="true" acceptCount="100" SSLEnabled="true" SSLCertificateFile="../ecc_servercert.crt" SSLCertificateKeyFile="../ec_serverkey.pem"

The certificate is based on a ecliptic curves algorithm:

openssl ecparam -out c:\ecc\ec_serverkey.pem -name secp256k1 -genkey

openssl req -new -x509 -nodes -days 365 -key c:\ecc\ec_serverkey.pem -out c:\ecc\ecc_servercert.crt

Hope someone has an idea? Accourding to hours of searching, the browers should support this configuariton ...

Ragards, Tobi

È stato utile?

Soluzione

I think that there are two possibilities:

  1. Either you use the APR connector and Tomcat native libraries as well, so it will throw the error.(more info:http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html#Edit_the_Tomcat_Configuration_File)

  2. Or you use the same port for both http & https: in your connector you use 8443 which is usually used for http.(have you tried o use port="443" not "8443"?)

Altri suggerimenti

ashiii is incorrect, it's because the ecc curve secp256k1 is not supported in chrome or firefox.

prime256v1 and secp384r1 are good alternatives. see http://security.stackexchange.com/questions/78621/which-elliptic-curve-should-i-use

Autorizzato sotto: CC-BY-SA insieme a attribuzione
Non affiliato a StackOverflow
scroll top