SSL not working for Tomcat 8

Question

I'm trying to configure SSL(https) for tomcat 8 and have done below steps but still its not working

1) Create the keystore file using

keytool -genkey -alias myservername -keyalg RSA

2) Generated CSR as below

keytool -certreq -alias myservername -file C:\tomcat_ssl\local_machine\test.csr -keystore C:\tomcat_ssl\local_machine\test.keystore

3) Then we had Generated the Certificate and then imported the chain certificate and certificate as below

keytool -import -alias root -keystore C:\tomcat_ssl\local_machine\test.keystore -trustcacerts -file C:\tomcat_ssl\local_machine\srv_chain.cer

keytool -import -alias myservername -keystore C:\tomcat_ssl\local_machine\test.keystore -file C:\tomcat_ssl\local_machine\srv_main.cer

4) Finally Did the changes in tomcat server.xml as below

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\tomcat_ssl\local_machine\test.keystore" keystorePass="123" keystoreAlias="myservername"/>

Restarted the tomcat and its not working and showing below screen

In tomcat logs it's not showing any errors and also i have tried other options like keeping cipher tag in connection, Enabled TLS 1,2,3 , changing https port etc no avail.

Also i have tested the https port 443 and it's showing as listening when i netstat. Any idea why this is not working

Added Logs after enabling ssl debugging in tomcat

http-nio-443-exec-5, fatal error: 10: General SSLEngine problem
javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
http-nio-443-exec-5, SEND TLSv1.2 ALERT:  fatal, description = unexpected_message
http-nio-443-exec-5, WRITE: TLSv1.2 Alert, length = 2
http-nio-443-exec-5, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
http-nio-443-exec-5, called closeOutbound()
http-nio-443-exec-5, closeOutboundInternal()
[Raw write]: length = 7

any error logs during server start up? have you checked in any other browser (chrome/mozilla)? — Jos, Jul 16 '17 at 14:41
@redflar3 Hi, Actually in all server logs there is no error information..i have checked only in IE 11 as other browsers are not allowed here... — JavaGeek, Jul 16 '17 at 14:45
What java version are you using? Could you test your server with SSLLabs? If not, you can build a simple Java Client and debug the SSL Connection with `-Djavax.net.debug=all` to get a detailed log at client side. Add the results to your question — pedrofb, Jul 19 '17 at 14:22
@pedrofb I am using Java 8 adn after enabling the SSL debug in tomcat, i have provided the log messages in my original question. Mostly the error is as below. Do you think the TLS 1.2 disbale issue is causing this error http-nio-443-exec-5, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled — JavaGeek, Jul 19 '17 at 16:36
Seems your client is sending a SSLv2Hello message and server does not allow it. Try to enable in tomcat like here and enable it in JDK with `-Dsun.security.ssl.allowUnsafeRenegotiation=true` I am not sure if this is right way to enable SSLv2Hello. After this test, try to disable sslv2 in Internet Explorer and enable only tls — pedrofb, Jul 19 '17 at 18:44
@pedrofb i have tried these options but still the same issue. I suspect TLS protocols were disabled in windows OS level in the tomcat server..Tomorrow i will check with Admin team and update here. Thanks for you help — JavaGeek, Jul 19 '17 at 18:58
Some blogs indicate that you have to make sure you have TLSv1, v1.1 and v1.2 enabled in IE, including SSLv2. But that would not affect Chrome for example. May be it is a firewall issue... — pedrofb, Jul 20 '17 at 13:55
Tried by enabling all TLS and SSL but no avail...seems strange — JavaGeek, Jul 23 '17 at 19:37
with self signed certificate its working but issue occurring when i import the root and server certificates. Tried initially with import of cer format and it didn't work and again tried with PEM format and still didn't work — JavaGeek, Jul 25 '17 at 17:01
Then, it Is probably an issue with the certification chain. How did you get srv_main.cer? Are you sure it contains the full chain? A .cer file hasonly one cert. I suggest to open keystore with keystoreexplorer tool to verify that the private key entry has really the chain — pedrofb, Jul 25 '17 at 22:00
Can you add a wireshark hexdump of the SSL negotiation (Follow TCP Stream -> HexDump) — Shloim, Jul 26 '17 at 06:35

score 4 · Answer 1 · answered Jul 20 '17 at 16:07

4

As you are using java 8, thus default will TLS 1.2.

By looking at your screenshot, client TLS is not enabled in your IE 11. By default IE 11 has SSL 3.0, TLS 1.0, 1.1, 1.2 enabled.

If you see the protocols matrix, you will come to why the connection is not successful.

Thus, please update your IE 11 SSL TLS settings or try to use another browser to verify.

answered Jul 20 '17 at 16:07

Rishikesh Darandale

3,222
4
17
35

If you still want to do it at tomcat level, then probably you need enable `SSLv3` on tomcat side. Please check footnote2 mentioned [here](https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSE_Protocols) – Rishikesh Darandale Jul 20 '17 at 16:09
Thanks for information...I will check the Matrix and try few things and update here – JavaGeek Jul 20 '17 at 17:11
@JavaGeek, Does above information helped to resolve your issue? – Rishikesh Darandale Jul 24 '17 at 13:47
@JavaGeek, You should probably *not* do this, but try enabling the `SSLv3` by removing it from variable `jdk.tls.disabledAlgorithms` of file `/jre/lib/security/java.security`. This is just for your testing purpose, I will not recommend this in `production` environment. – Rishikesh Darandale Jul 25 '17 at 13:51

score 3 · Answer 2 · answered Jul 16 '17 at 16:05

3

I had the same issue long time ago.

Mi solution was (the steps that I follow here depends on the CA instructions, the CA site ussually have the complete instruccions of how generate the certificate correctly):

Create the certificate again but with the following commands (keysize 2048) (make sure that name and lastname are the same as your site name example: yourhost.com:

keytool -genkey -alias yourhost.com -keyalg RSA -keysize 2048 -keystore servername.jks

Genearate de csr

keytool -certreq -alias yourhost.com -file mycsr.txt -keystore servername.jks

Install the certificate

keytool -import -trustcacerts -alias yourhost.com -file file-from-your-ca.p7b -keystore servername.jks

On the server.xml connector put the following configuration (note: the sslProtocol possible values depends on the jvm that your are using, please see the possible values for java 8 java 8 ssl values)

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false"  keystoreFile="/home/myserver/ssl/servername.jks" keystorePass="yourpass" keystoreAlias="yourhost.com" sslProtocol="TLSv1.2"  />

Restart tomcat

There are more examples of how configure secure connector on this site: Secure Tomcat

answered Jul 16 '17 at 16:05

Daniel C.

5,418
3
23
26

I have tried but it still gives Page cannot be displayed..Turn on TLS 1.0,TLS 1.1 amd TLS 1.2..as provided in initial snap-shot – JavaGeek Jul 19 '17 at 14:02
Hi, looking at the logs I can see the error message: SSLv2Hello is disabled; that means that your client is trying to connect using SSLV2. In that case please use the following values in server.xml connector sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello" – Daniel C. Jul 20 '17 at 03:38
Also, could you please let me know the jre version that is using your tomcat? It works for me using jre 1.8 – Daniel C. Jul 20 '17 at 03:42
I'm using jre 1.8.0_121....Did you keep any extra settings in either server.xml or tomcat java parameters for enabling TLS...kindly let me know – JavaGeek Jul 20 '17 at 17:17
yes sslProtocol="TLSV1.2" clientAuth="false" protocol="HTTP/1.1" – Daniel C. Jul 20 '17 at 18:23
– Daniel C. Jul 21 '17 at 00:34
1

You also can try just creating the keystore but not signing it (just the step 1), just the kesytore without the certificate from your CA, try it and check if it works. This option helps you to isolate the problem because one possible problem could be the certificate that comes from your CA. – Daniel C. Jul 21 '17 at 00:38
Yes..with self signed jks it is working but the issue is occuring only when the certificate is getting imported. We have tried with both root and server certificate import(.cer format) it didnt work. And them tried to regenerate it and then convert to PEM's and then merged the PEM and imported to jks but still didn't work. Looks like some import issue with certificate but somehow not showing the error message properly and wierd thing is the certificate is getting imported sucessfully either we use cer format or PEM format – JavaGeek Jul 25 '17 at 16:59
In that case please try to verify the certificates, you can use openssl verify. https://stackoverflow.com/questions/25482199/verify-a-certificate-chain-using-openssl-verify#26520714 – Daniel C. Jul 26 '17 at 02:52
This is the openssl verify synopsys https://www.mkssoftware.com/docs/man1/openssl_verify.1.asp – Daniel C. Jul 26 '17 at 02:53

score 0 · Answer 3 · answered Jul 16 '17 at 14:51

0

Tomcat can use two different implementations of SSL:

the JSSE implementation provided as part of the Java runtime (since 1.4) the APR implementation, which uses the OpenSSL engine by default. The exact configuration details depend on which implementation is being used. If you configured Connector by specifying generic protocol="HTTP/1.1" then the implementation used by Tomcat is chosen automatically. If the installation uses APR - i.e. you have installed the Tomcat native library - then it will use the APR SSL implementation, otherwise it will use the Java JSSE implementation.

Please refer to https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html for all details for configuration. I simply follow the steps and it works for me.

Most importantly, Are you sure you have got issue in your tomcat. Your error may comes from your browser.

Have you tried other browsers other than IE?
Which version of IE are you using?
Windows 7 or Windows 8?

If you face the issue only in IE, check also SSL 2.0 and SSL 3.0 under the Advanced Setting along with the recommended fix of turning on TLS 1.0, TLS 1.1, and TLS 1.2.

answered Jul 16 '17 at 14:51

Kambiz

99
1
10

Thanks for reply. I'm using generic protocol provided and not APR. I have tried in the server itself by https://localhost and it's not working and displaying the page as pasted above. Even i have tried in client machine windows 7 with IE 11 but it's displaying the same message. I have already enabled all TLS 1,2,3 in Advanced setting of IE but no avail. – JavaGeek Jul 16 '17 at 14:59
Can you try with Firefox or Chrome? – Kambiz Jul 16 '17 at 15:16
I have tried with Chrome but it didn't work and displayed empty page... – JavaGeek Jul 16 '17 at 15:44
Can you add sslEnabledProtocols attribute in your server.xml sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" – Kambiz Jul 19 '17 at 14:52
ried by enabling the debug for SSL and now it throws that Client requested Protocol SSLv3 not enabled or supported. I have placed this in server.xml and also as supported protocol in Tomcat java setting – JavaGeek Jul 19 '17 at 17:48
1

Try forcing JSSE use by adding sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation" in your Connector. None was working for me, except this. https://stackoverflow.com/questions/48679472/ssl-handshake-debugging-not-working-any-more-with-apache-tomcat-9-0-0-m22 – vladimir83 Aug 19 '19 at 07:03

score 0 · Answer 4 · answered Jul 25 '17 at 12:20

I am currently facing a similar problem, and I got the strong suspicion that our problem has something to do with the Tomcat configuration within server.xml. Me too, I see the service listening on the port, and not much helpful messages in any log files.

I was told by a colleague who got (a secure Tomcat with SSL) running to enter

   <Connector port="443" scheme="https" server="Secure Web Server"
              minSpareThreads="25" allowTrace="false" keystoreType="JKS"
              keystoreFile="C:\tomcat\conf\aSecureTomcat.jks" keystorePass="yourPassword"  
              connectionTimeout="20000"
              protocol="org.apache.coyote.http11.Http11NioProtocol" 
              secure="true" clientAuth="false" sslProtocol="TLS" 
              sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" 
              useServerCipherSuitesOrder="true" 
              ciphers="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"/>

I have not figured out the minimal configuration yet, but the important part for you might be the last 5 lines of my code snippet. How does your Tomcat config look like?

It did not work for me yet (due to authentication problems even without SSL), but for my colleague. What my colleague suggested for you is to double-check on the client-site settings (in IE) as suggested by Kambiz _so that they match your connector_. This aside, have you checked https://stackoverflow.com/questions/26488667/tomcat-7-getting-sslv2hello-is-disabled-error-when-trying-to-make-client-server ? — B--rian, Jul 26 '17 at 07:58

score 0 · Answer 5 · answered Apr 30 '18 at 14:33

0

Just change your original server.xml: sslProtocol=TLSv1.2 Include the version no. Had the same error before.

answered Apr 30 '18 at 14:33

senadorbarrago

1
1

score 0 · Answer 6 · answered Aug 19 '19 at 07:09

0

Try forcing JSSE use by adding in your Connector:

sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"

For any reason it's detecting APR and trying to use OpenSSL which is not working. See this answer.

answered Aug 19 '19 at 07:09

vladimir83

509
3
10

SSL not working for Tomcat 8

6 Answers6