The latest versions of Chrome and Firefox have disabled SSLv3.0 by default, due to the POODLE vulnerability. This leads to the following error when I attempt to open a site I have set up (and which was working fine):
With Chrome:
A secure connection cannot be established because this site uses an unsupported protocol.
Error code: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
With Firefox:
Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)
I have researched this issue with Chrome, Firefox, Tomcat and more Tomcat docs. I understand the problem, but I can't find the documentation to configure Tomcat 7 to use only the TLS ciphers and protocols that are now safe. I'm not sure if I need to create a new cert/keypair, change my server.xml, or install a new version of Tomcat, or what. I'm not even sure what versions of cipher/protocol are now considered "acceptable" by these browsers. Can anyone point me to the docs or an example setup for this?
I'm using OpenJDK 1.7 on Ubuntu 14.04 with Tomcat 7.
Here's my cert file (redacted):
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: something
Creation date: May 4, 2013
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=something, OU=something, O=something, L=something, ST=something, C=something
Issuer: CN=something, OU=something, O=something, L=something, ST=something, C=something
Serial number: ...
Valid from: Sat May 04 17:28:21 MST 2013 until: Tue May 02 17:28:21 MST 2023
Certificate fingerprints:
MD5: ...
SHA1: ...
SHA256: ...
Signature algorithm name: SHA1withDSA
Version: 3
Here's my server.xml
entry for HTTPS support:
<Connector port="8484" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="/path/mykeystore"
keystorePass="password"
clientAuth="false"
sslProtocol="TLS"
sslEnabledProtocols="TLS" />
The SSL_ERROR_NO_CYPHER_OVERLAP error is specific to Mozilla Firefox. In general, this error occurs when the browser is unable to obtain the required security data from the website you are trying to access. As a result of that, the website will fail to load and you will see the SSL_ERROR_NO_CYPHER_OVERLAP error.
I had the problem on a new installation using Tomcat 8.0.23 and Java 8 build 1.8.0_45. I finally discovered that I had failed to specify the -keyalg RSA option when I created my self signed certificate with the Java keytool utility. I deleted the old key store and made sure to include that option when I made a new keystore. That fixed the problem.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With