2 Replies Latest reply on Nov 22, 2016 10:12 AM by jgabriel RSS
    jgabriel Apprentice

    ERR_SSL_OBSOLETE_CIPHER

    Hello, does anyone have any experience with error in ERR_SSL_OBSOLETE_CIPHER chrome? (IE works) 

     

    I am running CentOs with OpenJDK1.8 and Tomcat 8.

     

    My server.xml looks like this:

     

        <Connector port="8080" protocol="HTTP/1.1"

                   connectionTimeout="20000"

                   redirectPort="8443" />

     

     

        <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"

               port="8443" maxThreads="200"

               scheme="https" secure="true" SSLEnabled="true"

               keystoreFile="/usr/tomcat/conf/.keystore" keystorePass="twadmin"

               clientAuth="false" sslProtocol="TLS"/>

     

    Thanks and best regards!

      • Re: ERR_SSL_OBSOLETE_CIPHER
        jgabriel Apprentice

        I do not really understand it but this works:

         

            <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"

                   port="8443" maxThreads="200"

                   scheme="https" secure="true" SSLEnabled="true"

                   keystoreFile="/usr/tomcat/conf/.keystore" keystorePass="twadmin"

                   clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"

                   ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"/>

        • Re: ERR_SSL_OBSOLETE_CIPHER
          jgabriel Apprentice

          This problem was caused by using OpenJDK, which has problems with crypto. Maybe it is only wrong settings, but when I use Oracle JDK it works good.

           

          Also it is probably better to use Apache or Nginx for frontend, security for these is implemented faster then in Tomcat.