tomcat 7 + ssl not working - ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Question

Ubuntu 14, tomcat 7, java 7

our.crt, our.key and gd_bundle-g2-g1.crt supplied by godaddy. The bundle has 3 certs in it (as seen by vi'ing the file).

Note, our key and crt were used on node.js without issue.

we created a keystore from the existing crt thusly:

cd /etc/ssl
openssl pkcs12 -export -in our.crt -inkey our.key -out our.p12 -name tomcat -CAfile gd_bundle-g2-g1.crt -caname root -chain

The server.xml is this:

<Server port="8005" shutdown="SHUTDOWN">

<Listener className="org.apache.catalina.core.JasperListener" />
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />



<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container"
          type="org.apache.catalina.UserDatabase"
          description="User database that can be updated and saved"
          factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
          pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>


<Service name="Catalina">

<Connector port="80" protocol="HTTP/1.1"
           connectionTimeout="20000"
           URIEncoding="UTF-8"
           redirectPort="8443" />

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="200" scheme="https" secure="true"
           keystoreType="PKCS12"
           keystoreFile="/etc/ssl/our.p12" keystorePass=""
           clientAuth="false" sslProtocol="TLS" />

Tomcat starts up with no errors.
The webapp works fine on port 80.
The server has no fw running.

We setup a local redirect from 443 to 8443:

iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443

Then try https://www.ourserver.com/ourapp

Chrome gives: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

curl examples running on local machine:

curl -Iv https://www.ourserver.com:8443
* Rebuilt URL to: https://www.ourserver.com:8443/
* Hostname was NOT found in DNS cache
*   Trying 1xxxxxxxx...
* Connected to www.ourserver.com (1xxxx) port 8443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS alert, Server hello (2):
* error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
* Closing connection 0
curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Any ideas?

UPDATE 1

I tried setting up a new tomcat 7 on a new server, and installed a fresh copy of the certs, and got the same error.

Since this "handshake failure" alert is send by the server you should look at the server side when debugging the problem, i.e. at log messages from tomcat. — Steffen Ullrich, May 08 '15 at 14:11
localhost_access_log.yyyy-mm-dd has no entry when I hit the SSLed port and get the ERR_SSL_VERSION_OR_CIPHER_MISMATCH message back in chrome — John Little, May 12 '15 at 10:55
Just to be sure, you do have a value for keystorePass, right? If it is a custom password (other than 'changeit'), also try specifying the same password for the keyPass property. See https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_BIO_and_NIO) — Anand Bhat, May 15 '15 at 01:52

Naman · Answer 1 · 2015-05-12T13:33:41.573

19

Try adding ciphers attribute into your connector tag like

ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,
   TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,
   TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"

If this not help then try changing your protocol attribute from protocol="HTTP/1.1" to protocol="org.apache.coyote.http11.Http11Protocol"

For more reference see

edited May 12 '15 at 13:33

answered May 12 '15 at 13:19

Naman

2,205
2
19
32

1

Thanks for looking at this. I had found a similar reference and tried setting ciphers, but this did not help. I just tried the ones you found, restarted tomcat, but get the same ERR_SSL_VERSION_OR_CIPHER_MISMATCH error, unfortunately. – John Little May 12 '15 at 13:52
just tried org.apache.coyote.http11.Http11Protocol as you suggest. This did not help either, unfortunately. – John Little May 12 '15 at 13:57
Have you tested your new p12 file? Have a look at https://drupal.star.bnl.gov/STAR/comp/onl/tools/implementing-ssl-https-tomcat-using-ca-generated-certificates & http://blog.viison.com/post/26837966486/how-to-use-openssl-certificate-with-tomcat – Naman May 13 '15 at 09:06
2

Why did this answer get the bounty if it did not help the OP? – Be Kind To New Users Jan 12 '16 at 21:59
1

This answer solves most "ERR_SSL_VERSION_OR_CIPHER_MISMATCH" errors – Matthew Peters Jul 14 '16 at 17:22
1

The cipher this worked for me. Terrible for people who move from Windows to Linux. When you ditto copy paste the server.xml and break your head thinking whats wrong – madhairsilence Dec 28 '16 at 13:53
adding the ciphers works. But why? This is so damn ridiculous – Thai Tran Sep 02 '18 at 17:24

score 3 · Answer 2 · edited May 23 '17 at 11:53

Recently I got the same error, when I was trying to follow guide Securing Bitbucket Server with Tomcat using SSL when I found this solution here.

You have to convert from pkcs12 to java keystore format:

keytool -importkeystore \
        -deststorepass changeit -destkeypass changeit \
        -destkeystore /path/to/my/keystore.jks \
        -srckeystore our.p12 -srcstoretype PKCS12

and in Tomcat, just set:

<Connector ...
          keystoreFile="/path/to/my/keystore.jks" />

score 2 · Answer 3 · answered May 15 '15 at 20:17

2

Try switching sslProtocol to "TLSv1,TLSv1.1,TLSv1.2". You may want to prepend SSLv2Hello to that for the openssl / curl test cases as some older libraries will want to send the old hello before up-negotiating.

answered May 15 '15 at 20:17

Sean Baker

664
5
11

Hi, thanks for the idea - I tried this but gives the same error. – John Little May 18 '15 at 16:00

Konstantin Kolinko · Answer 4 · 2015-05-18T16:28:07.043

Ubuntu 14, tomcat 7, java 7

What exact versions of Tomcat and of Java 7?

https://wiki.apache.org/tomcat/FAQ/Linux_Unix#Q5

The server.xml is this:

You are not mentioning what connector implementation you are using, but as AprLifecycleListener is removed from your server.xml it means that you are using "Http11Protocol" (aka "BIO") implementation. Good. It should be visible from your startup logs. (If you had used "APR" implementation, your configuration would had to be quite different).

curl -Iv https://www.ourserver.com/ourapp:8443

An odd URL. The port number should follow the server name, https://www.ourserver.com:8443/ourapp.

Though message "* Rebuilt URL to: https://www.ourserver.com:8443/" from curl looks like it knows how to deal with that.

error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Tomcat 7.0.57 and later has SSLv3 protocol disabled by default because of published SSL vulnerability (CVE-2014-3566 POODLE). That filtering of SSL protocols disables all protocols hat have "SSL" in their name, including SSLv2Hello. Apparently curl tries to connect with SSLv2Hello handshake here ("SSL23" in its message).

You need a client that supports TLS protocol (TLS 1.0, 1.1 or 1.2).

https://wiki.apache.org/tomcat/Security/POODLE
https://wiki.apache.org/tomcat/Security/Ciphers

Try switching sslProtocol to "TLSv1,TLSv1.1,TLSv1.2". You may want to prepend SSLv2Hello to that for the openssl / curl test cases as some older libraries will want to send the old hello before up-negotiating.

Good, but with one correction: the above is a value for sslEnabledProtocols attribute (not sslProtocol).

You can try connecting with OpenSSL,

openssl s_client -connect hostname:8443

openssl s_client -connect hostname:8443 -tls1

OpenSSL Doc: https://openssl.org/docs/apps/s_client.html

Tomcat 7 Configuration reference: http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_BIO_and_NIO

Server version: Apache Tomcat/7.0.52 (Ubuntu) Server built: Jul 24 2014 08:38:51 Server number: 7.0.52.0 OS Name: Linux OS Version: 3.13.0-30-generic Architecture: amd64 JVM Version: 1.7.0_75-b13 — John Little, May 18 '15 at 16:10
I cant really change the client, unfortunately - the same error is given in Chrome, IE, curl and openssl. — John Little, May 18 '15 at 16:11
openssl s_client -connect hostname:8443: CONNECTED(00000003) depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/OU=Domain Control Validated/CN=*.respingaming.net i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2 : — John Little, May 18 '15 at 16:16
openssl s_client -connect hostname:8443 on a second server setup the same (at least it should be, but I have tried a LOT of variations) gives:root@pansy:~# openssl s_client -connect localhost:8443 CONNECTED(00000003) 139957150750368:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:770: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 305 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- — John Little, May 18 '15 at 16:21
Try add '-tls1' argument to openssl s_client command (I updated the recipe above). 7.0.52 is a bit old. You need to look into the FAQ entries that I mentioned to disable SSLv3. — Konstantin Kolinko, May 18 '15 at 16:30

score 1 · Answer 5 · answered Sep 02 '19 at 07:31

1

I had the same problem, and i solved it.

Please add a password to your keystore - and it works!

answered Sep 02 '19 at 07:31

TimeO84

332
1
11

score 1 · Answer 6 · answered May 01 '20 at 16:51

It need to create cert at .jks format file.

Key Generation

1) Enter key generation command at Java

keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore your_domain_name.jks

2) Run the CSR command

keytool -certreq -alias server -file csr.txt -keystore your_domain_name.jks

3) Submit crs.txt at Godaddy.com

Installation Instructions

1) Convert your certificate files. It needs the openssl (https://www.openssl.org/) Run the command : xxx.pem is from certificate files (your domain name cert)

openssl crl2pkcs7 -nocrl -certfile xxx.pem -out your_file_name.p7b -certfile gd_bundle-g2-g1.crt

2) Run the Install command at Java

keytool -import -trustcacerts -alias server -file your_file_name.p7b -keystore your_domain_name.jks

4) Open the server.xml file at ..\Apache Software Foundation\Tomcat 7.0\conf. Update the connector setting.

<Connector 
       port="443"  
       scheme="https" 
       secure="true" 
       SSLEnabled="true" 
       clientAuth="false"
       sslProtocol="TLS" 
       keyAlias="server"  
       keystoreFile="/home/user_name/your_domain_name.jks"
       keystorePass="your_keystore_password"
 />

5) You are welcome.

tomcat 7 + ssl not working - ERR_SSL_VERSION_OR_CIPHER_MISMATCH

6 Answers6

Linked