tomcatjava-17tomcat10

How to resolve Tomcat 10 SSL-Protocol Configuration Error?

My goal is to set up Tomcat 10's SSL configuration. This is how my setup looks like.

<Connector
      port="8443"
      protocol="org.apache.coyote.http11.Http11NioProtocol"
      maxThreads="150"
      minSpareThreads="25"
      SSLEnabled="true"
      sslEnabledProtocols="TLSv1.2"
      scheme="https"
      secure="true"
      enableLookups="false"
      disableUploadTimeout="true"
      acceptCount="400"
      URIEncoding="UTF-8"
      clientAuth="false"
      defaultSSLHostConfigName="abx.io"
      SSLCertificateFile="conf/cert_abx/cert.pem"
      SSLCertificateKeyFile="conf/cert_abx/privkey.pem"
      connectionTimeout="20000">
  <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
  <SSLHostConfig
        hostName="abx.io"
        ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE>
TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA">
    <Certificate
          certificateFile="conf/cert_abx/cert.pem"
          certificateKeyFile="conf/cert_abx/privkey.pem"
          certificateChainFile="conf/cert_abx/chain.pem"/>
  </SSLHostConfig>
</Connector>

However, I am receiving the error ERR_SSL_VERSION_OR_CIPHER_MISMATCH, The client and server don't support a common SSL protocol version or cipher suite. Furthermore, I have tried changing the protocol to org.apache.coyote.http11.Http11AprProtocol, but this seems to be not available with the current tomcat-10 server.

Solution

  • Some attributes in your config are no longer used in Tomcat 10

    For eg: 'sslEnabledProtocols' was depcreated in Tomcat 9 and removed from Tomcat 10 instead 'protocols' attribute should be used.

    Try to use the below config and check once again.

    <Connector
      port="8443"
      protocol="org.apache.coyote.http11.Http11NioProtocol"
      maxThreads="150"
      minSpareThreads="25"
      SSLEnabled="true"
      scheme="https"
      secure="true"
      enableLookups="false"
      disableUploadTimeout="true"
      acceptCount="400"
      URIEncoding="UTF-8"
      clientAuth="false"
      defaultSSLHostConfigName="abx.io"
      connectionTimeout="20000">
  <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
  <SSLHostConfig hostName="abx.io" protocols="TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA">
    <Certificate
          certificateFile="conf/cert_abx/cert.pem"
          certificateKeyFile="conf/cert_abx/privkey.pem"
          certificateChainFile="conf/cert_abx/chain.pem"/>
  </SSLHostConfig>
</Connector>