2

This is the situation summed up.

The configuration below is identical in server.xml in Tomcat 8.5.8 and Tomcat 9.0.64. The JKS-file used is created by keytool in Java 8.

Expected behaviour is that when using HTTPS in URL (mysite.org), NetID will start giving me a choice of client certificates from my card, I choose correct certificate, and give my PIN-code, then the webpage will be shown.

This works with Tomcat 8.5.8 on Java 8.

But when starting with Tomcat 9.0.64 on Java 8 or Java 17 it throws the error:

ERR_SSL_CLIENT_AUTH_NO_COMMON_ALGORITHMS

Any idea why doesn't Tomcat 9 like this configuration?

 <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
            sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
            maxThreads="150" scheme="https" secure="true"  clientAuth="true" sslProtocol="TLSv1.2"
            keystoreFile="/srv/archive/Cert/archivelux.jks" keystorePass="xxxx"
            truststoreFile="/srv/archive/Cert/archivelux.jks" truststorePass="xxxx" truststoreType="JKS"/>
Paul Bergström
  • 253
  • 1
  • 2
  • 14
  • Did you solve this problem somehow? I have a very similar problem. – Mauro Molinari Mar 23 '23 at 17:36
  • Yes, look below. – Paul Bergström Mar 30 '23 at 09:47
  • 1
    Ok, thanks. I had a completely different problem with a much similar symptom using Tomcat 9/Java 11 but not with Tomcat 8/Java 8. In my case, the ERR_SSL_CLIENT_AUTH_NO_COMMON_ALGORITHMS was caused by an old driver of the smart card containing the client certificate which was in some way causing a TLS handshake problem when the negotiated TLS version between the client and the server was 1.3, while it was all working fine when TLS 1.2 was forced on Tomcat 9/Java 11 or when using Tomcat 8/Java 8 out-of-the-box. – Mauro Molinari Mar 30 '23 at 13:27

1 Answers1

0

Yes, something appears to have changed between Tomcat 8 and Tomcat 9.

The parameter sslProtocol="TLSv1.2" is accepted by Tomcat 8, but not by Tomcat 9.

There the parameter must be SSLProtocol="TLSv1.2"

Restart, and it will work.

/Paul

Paul Bergström
  • 253
  • 1
  • 2
  • 14