I am attempting to implement secure connections to our z/OS hosted Tomcat server per an audit order. I am using the standard Java keytool based process and have already acquired a signed certificate and enabled the secure port. I have left the unsecured port open for only admin access to the manager utility and all other applications require use of the secure port. The problem is that while an unsigned certificate will allow access to the application with the expected 'potentially unsafe' error message, when I used the keystore with the signed certificate I receive an "ERR_SSL_VERSION_OR_CIPHER_MISMATCH" error message. I have tried a variety of different ciphers outside of the defaults and enabled all TLS versions 1.0, 1.1, and 1.2. Currently corporate policy only allows anyone in the company to use IE9 and Chrome 44, it is in Chrome that I see the error message during testing.
My configuration for the secure port at last test:
Code: Select all
<Connector port="(port#)" SSLEnabled="true"
protocol="org.apache.coyote.http11.Http11Protocol"
scheme="https" secure="true"
clientAuth="false"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
ciphers="TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,
SSL_RSA_WITH_NULL_SHA,
TLS_RSA_WITH_NULL_SHA256,
SSL_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_SEED_CBC_SHA,
SSL_RSA_WITH_DES_CBC_SHA,
SSL_RSA_WITH_IDEA_CBC_SHA,
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
keystoreFile=
"(keystore)"
keystoreProvider="IBMJCE"
keyPass="(password)" />
Has anyone encountered this before?