SSL/TLS Support

Issues and Questions related to running Apache Tomcat on z/OS
Post Reply
thoffman017
Posts: 2
Joined: Mon Aug 31, 2015 8:30 am

SSL/TLS Support

Post by thoffman017 » Mon Aug 31, 2015 8:45 am

Hi all,

I am attempting to implement secure connections to our z/OS hosted Tomcat server per an audit order. I am using the standard Java keytool based process and have already acquired a signed certificate and enabled the secure port. I have left the unsecured port open for only admin access to the manager utility and all other applications require use of the secure port. The problem is that while an unsigned certificate will allow access to the application with the expected 'potentially unsafe' error message, when I used the keystore with the signed certificate I receive an "ERR_SSL_VERSION_OR_CIPHER_MISMATCH" error message. I have tried a variety of different ciphers outside of the defaults and enabled all TLS versions 1.0, 1.1, and 1.2. Currently corporate policy only allows anyone in the company to use IE9 and Chrome 44, it is in Chrome that I see the error message during testing.

My configuration for the secure port at last test:

Code: Select all

<Connector port="(port#)" SSLEnabled="true"               
           protocol="org.apache.coyote.http11.Http11Protocol"
           scheme="https" secure="true"                      
           clientAuth="false"                                
           sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"              
           ciphers="TLS_RSA_WITH_AES_256_CBC_SHA,            
                    TLS_RSA_WITH_AES_256_CBC_SHA256,         
                    SSL_RSA_WITH_NULL_SHA,                   
                    TLS_RSA_WITH_NULL_SHA256,                
                    SSL_RSA_WITH_RC4_128_SHA,                
                    TLS_RSA_WITH_SEED_CBC_SHA,               
                    SSL_RSA_WITH_DES_CBC_SHA,                
                    SSL_RSA_WITH_IDEA_CBC_SHA,               
                    TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,       
                    TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,    
                    TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,       
                    TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,    
                    TLS_RSA_WITH_AES_128_CBC_SHA,            
                    TLS_RSA_WITH_AES_128_CBC_SHA256,         
                    TLS_RSA_WITH_AES_128_GCM_SHA256,         
                    TLS_EMPTY_RENEGOTIATION_INFO_SCSV"       
           keystoreFile=                                     
             "(keystore)"                
           keystoreProvider="IBMJCE"                         
           keyPass="(password)" />       


Has anyone encountered this before?

dovetail
Site Admin
Posts: 1848
Joined: Thu Jul 29, 2004 12:12 pm

Re: SSL/TLS Support

Post by dovetail » Mon Aug 31, 2015 3:37 pm

Could this be your problem? (see the final response on this thread)

https://communities.vmware.com/thread/5 ... 5&tstart=0

According to this, Chrome no longer supports certificates with a DSA signature. I can't tell if that is your problem since you didn't include a readable dump of your cert.

thoffman017
Posts: 2
Joined: Mon Aug 31, 2015 8:30 am

Re: SSL/TLS Support

Post by thoffman017 » Tue Sep 15, 2015 8:36 am

Sorry for the slow response, I have been investigating from some other angles. I have found that one small issue is that my certificate is using the older SHA1 hash function, but at this point Chrome and IE still allow this in a legacy manner and we should be able to resolve this in the near future. My certificate uses RSA encryption at least so that should not be the problem.

I have run a Wireshark trace from my machine and found that back and forth communications occurs but no 'CLIENT HELLO' packet is sent to start the secure connection.

Post Reply