Tag Archives: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Tomcat configuration SSL access chrome prompt err_ SSL_ VERSION_ OR_ CIPHER_ MISMATCH

After configuring Tomcat SSL today, we found that the page could not be accessed. Chrome prompts the following:

Access error.png

The problem is that the same configuration on other servers is OK
Baidu hasn’t found a solution after a circle, and doesn’t know much about the principle of Tomcat configuring SSL. Later, Google found a solution to configure the specified encryption protocol set in the SSL connector

ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,     
           TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
           TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,
           TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,
           TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,
           SSL_RSA_WITH_RC4_128_SHA"

The specific connector configuration is as follows:

 <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true" URIEncoding="UTF-8" 
               keystoreFile="conf/chinanetcenter.tomcat"  keystorePass="2013111"
               clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12" 
                ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,     
           TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
           TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,
           TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,
           TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,
           SSL_RSA_WITH_RC4_128_SHA"
               compression="on" compressionMinSize="50" noCompressionUserAgents="gozilla, traviata"
               compressableMimeType="text/html,text/xml,text/javascript,text/css,text/plain"/>

After configuration, you can access the page

The specific reasons are not enough. Later, we will have an opportunity to further understand the principle of Tomcat mechanism

Here are some of the information we saw in the search for questions:

Tomcat’s SSL can be implemented in two ways, one is to use APR, the other is JSSE. Tomcat automatically selects which implementation to use. If the server is installed with APR, it seems that it will automatically choose to use APR ( I guess the above error may have something to do with APR, because only that server is installed with APR, it won’t work ). You can make Tomcat choose JSSE implementation by specifying protocol

Tomcat can implement SSL in two ways, JSSE and APR
(1) JDK has implemented JSSE since version 1.4, APR uses OpenSSL engine, so if you want to use APR, you must configure OpenSSL engine
(2) JSSE is divided into bio implementation and NiO implementation. The protocol value of bio implementation is org.apache.coyote.http11.http11protocol, and that of NiO implementation is org.apache.coyote.http11.http11nioprotocol if you want to use APR mode, you must install Tomcat local library
(3) the default connector in most Tomcat is bio connector
according to the test, Tomcat6 is bio connector and does not support NiO, so the protocol value of connect connector should be written as org.apache.coyote.http11.http11protocol