SSL not working for Tomcat 8

Question

I'm trying to configure SSL(https) for tomcat 8 and have done below steps but still its not working

1) Create the keystore file using

keytool -genkey -alias myservername -keyalg RSA

2) Generated CSR as below

keytool -certreq -alias myservername -file C:\tomcat_ssl\local_machine\test.csr -keystore C:\tomcat_ssl\local_machine\test.keystore

3) Then we had Generated the Certificate and then imported the chain certificate and certificate as below

keytool -import -alias root -keystore C:\tomcat_ssl\local_machine\test.keystore -trustcacerts -file C:\tomcat_ssl\local_machine\srv_chain.cer

keytool -import -alias myservername -keystore C:\tomcat_ssl\local_machine\test.keystore -file C:\tomcat_ssl\local_machine\srv_main.cer

4) Finally Did the changes in tomcat server.xml as below

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\tomcat_ssl\local_machine\test.keystore" keystorePass="123" keystoreAlias="myservername"/>

Restarted the tomcat and its not working and showing below screen

In tomcat logs it's not showing any errors and also i have tried other options like keeping cipher tag in connection, Enabled TLS 1,2,3 , changing https port etc no avail.

Also i have tested the https port 443 and it's showing as listening when i netstat. Any idea why this is not working

Added Logs after enabling ssl debugging in tomcat

http-nio-443-exec-5, fatal error: 10: General SSLEngine problem
javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
http-nio-443-exec-5, SEND TLSv1.2 ALERT:  fatal, description = unexpected_message
http-nio-443-exec-5, WRITE: TLSv1.2 Alert, length = 2
http-nio-443-exec-5, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
http-nio-443-exec-5, called closeOutbound()
http-nio-443-exec-5, closeOutboundInternal()
[Raw write]: length = 7

Answer 1

As you are using java 8, thus default will TLS 1.2.

By looking at your screenshot, client TLS is not enabled in your IE 11. By default IE 11 has SSL 3.0, TLS 1.0, 1.1, 1.2 enabled.

If you see the protocols matrix, you will come to why the connection is not successful.

Thus, please update your IE 11 SSL TLS settings or try to use another browser to verify.

Answer 2

I had the same issue long time ago.

Mi solution was (the steps that I follow here depends on the CA instructions, the CA site ussually have the complete instruccions of how generate the certificate correctly):

1. Create the certificate again but with the following commands (keysize 2048) (make sure that name and lastname are the same as your site name example: yourhost.com:

keytool -genkey -alias yourhost.com -keyalg RSA -keysize 2048 -keystore servername.jks

2. Genearate de csr

keytool -certreq -alias yourhost.com -file mycsr.txt -keystore servername.jks

3. Install the certificate

keytool -import -trustcacerts -alias yourhost.com -file file-from-your-ca.p7b -keystore servername.jks

On the server.xml connector put the following configuration (note: the sslProtocol possible values depends on the jvm that your are using, please see the possible values for java 8 java 8 ssl values)

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false"  keystoreFile="/home/myserver/ssl/servername.jks" keystorePass="yourpass" keystoreAlias="yourhost.com" sslProtocol="TLSv1.2"  />

Restart tomcat

There are more examples of how configure secure connector on this site: Secure Tomcat