SSL not working for Tomcat 8

Question

I'm trying to configure SSL(https) for tomcat 8 and have done below steps but still its not working

1) Create the keystore file using

keytool -genkey -alias myservername -keyalg RSA

2) Generated CSR as below

keytool -certreq -alias myservername -file C:\tomcat_ssl\local_machine\test.csr -keystore C:\tomcat_ssl\local_machine\test.keystore

3) Then we had Generated the Certificate and then imported the chain certificate and certificate as below

keytool -import -alias root -keystore C:\tomcat_ssl\local_machine\test.keystore -trustcacerts -file C:\tomcat_ssl\local_machine\srv_chain.cer

keytool -import -alias myservername -keystore C:\tomcat_ssl\local_machine\test.keystore -file C:\tomcat_ssl\local_machine\srv_main.cer

4) Finally Did the changes in tomcat server.xml as below

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\tomcat_ssl\local_machine\test.keystore" keystorePass="123" keystoreAlias="myservername"/>

Restarted the tomcat and its not working and showing below screen

In tomcat logs it's not showing any errors and also i have tried other options like keeping cipher tag in connection, Enabled TLS 1,2,3 , changing https port etc no avail.

Also i have tested the https port 443 and it's showing as listening when i netstat. Any idea why this is not working

Added Logs after enabling ssl debugging in tomcat

http-nio-443-exec-5, fatal error: 10: General SSLEngine problem
javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
http-nio-443-exec-5, SEND TLSv1.2 ALERT:  fatal, description = unexpected_message
http-nio-443-exec-5, WRITE: TLSv1.2 Alert, length = 2
http-nio-443-exec-5, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
http-nio-443-exec-5, called closeOutbound()
http-nio-443-exec-5, closeOutboundInternal()
[Raw write]: length = 7

Answer 1

As you are using java 8, thus default will TLS 1.2 .

By looking at your screenshot, client TLS is not enabled in your IE 11. By default IE 11 has SSL 3.0, TLS 1.0, 1.1, 1.2 enabled.

If you see the protocols matrix, you will come to why the connection is not successful.

Thus, please update your IE 11 SSL TLS settings or try to use another browser to verify.

Answer 2

I had the same issue long time ago.

Mi solution was (the steps that I follow here depends on the CA instructions, the CA site ussually have the complete instruccions of how generate the certificate correctly):

1. Create the certificate again but with the following commands (keysize 2048) (make sure that name and lastname are the same as your site name example: yourhost.com:

keytool -genkey -alias yourhost.com -keyalg RSA -keysize 2048 -keystore servername.jks

2. Genearate de csr

keytool -certreq -alias yourhost.com -file mycsr.txt -keystore servername.jks

3. Install the certificate

keytool -import -trustcacerts -alias yourhost.com -file file-from-your-ca.p7b -keystore servername.jks

On the server.xml connector put the following configuration (note: the sslProtocol possible values depends on the jvm that your are using, please see the possible values for java 8 java 8 ssl values )

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false"  keystoreFile="/home/myserver/ssl/servername.jks" keystorePass="yourpass" keystoreAlias="yourhost.com" sslProtocol="TLSv1.2"  />

Restart tomcat

There are more examples of how configure secure connector on this site: Secure Tomcat

Answer 3

Tomcat can use two different implementations of SSL:

the JSSE implementation provided as part of the Java runtime (since 1.4) the APR implementation, which uses the OpenSSL engine by default. The exact configuration details depend on which implementation is being used. If you configured Connector by specifying generic protocol="HTTP/1.1" then the implementation used by Tomcat is chosen automatically. If the installation uses APR - ie you have installed the Tomcat native library - then it will use the APR SSL implementation, otherwise it will use the Java JSSE implementation.

Please refer to https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html for all details for configuration. I simply follow the steps and it works for me.

Most importantly, Are you sure you have got issue in your tomcat. Your error may comes from your browser.

• Have you tried other browsers other than IE?
• Which version of IE are you using?
• Windows 7 or Windows 8?

If you face the issue only in IE, check also SSL 2.0 and SSL 3.0 under the Advanced Setting along with the recommended fix of turning on TLS 1.0, TLS 1.1, and TLS 1.2.

Answer 4

I am currently facing a similar problem, and I got the strong suspicion that our problem has something to do with the Tomcat configuration within server.xml . Me too, I see the service listening on the port, and not much helpful messages in any log files.

I was told by a colleague who got (a secure Tomcat with SSL) running to enter

   <Connector port="443" scheme="https" server="Secure Web Server"
              minSpareThreads="25" allowTrace="false" keystoreType="JKS"
              keystoreFile="C:\tomcat\conf\aSecureTomcat.jks" keystorePass="yourPassword"  
              connectionTimeout="20000"
              protocol="org.apache.coyote.http11.Http11NioProtocol" 
              secure="true" clientAuth="false" sslProtocol="TLS" 
              sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" 
              useServerCipherSuitesOrder="true" 
              ciphers="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"/> 

I have not figured out the minimal configuration yet, but the important part for you might be the last 5 lines of my code snippet. How does your Tomcat config look like?

Answer 5

Just change your original server.xml: sslProtocol=TLSv1.2 Include the version no. Had the same error before.

Answer 6

Try forcing JSSE use by adding in your Connector:

sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"

For any reason it's detecting APR and trying to use OpenSSL which is not working. See this answer .