Ubuntu 14, tomcat 7, java 7

our.crt, our.key and gd_bundle-g2-g1.crt supplied by godaddy. The bundle has 3 certs in it (as seen by vi'ing the file).

Note, our key and crt were used on node.js without issue.

we created a keystore from the existing crt thusly:

cd /etc/ssl
openssl pkcs12 -export -in our.crt -inkey our.key -out our.p12 -name tomcat -CAfile gd_bundle-g2-g1.crt -caname root -chain

The server.xml is this:

<Server port="8005" shutdown="SHUTDOWN">

<Listener className="org.apache.catalina.core.JasperListener" />
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />



<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container"
          type="org.apache.catalina.UserDatabase"
          description="User database that can be updated and saved"
          factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
          pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>


<Service name="Catalina">

<Connector port="80" protocol="HTTP/1.1"
           connectionTimeout="20000"
           URIEncoding="UTF-8"
           redirectPort="8443" />

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="200" scheme="https" secure="true"
           keystoreType="PKCS12"
           keystoreFile="/etc/ssl/our.p12" keystorePass=""
           clientAuth="false" sslProtocol="TLS" />

• Tomcat starts up with no errors.
• The webapp works fine on port 80.
• The server has no fw running.

We setup a local redirect from 443 to 8443:

iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443

Then try https://www.ourserver.com/ourapp

Chrome gives: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

curl examples running on local machine:

curl -Iv https://www.ourserver.com:8443
* Rebuilt URL to: https://www.ourserver.com:8443/
* Hostname was NOT found in DNS cache
*   Trying 1xxxxxxxx...
* Connected to www.ourserver.com (1xxxx) port 8443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS alert, Server hello (2):
* error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
* Closing connection 0
curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Any ideas?

UPDATE 1

I tried setting up a new tomcat 7 on a new server, and installed a fresh copy of the certs, and got the same error.

Try adding ciphers attribute into your connector tag like

ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,
   TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,
   TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"

If this not help then try changing your protocol attribute from protocol="HTTP/1.1" to protocol="org.apache.coyote.http11.Http11Protocol"

For more reference see

Recently I got the same error, when I was trying to follow guide Securing Bitbucket Server with Tomcat using SSL when I found this solution here.

You have to convert from pkcs12 to java keystore format:

keytool -importkeystore \
        -deststorepass changeit -destkeypass changeit \
        -destkeystore /path/to/my/keystore.jks \
        -srckeystore our.p12 -srcstoretype PKCS12

and in Tomcat, just set:

<Connector ...
          keystoreFile="/path/to/my/keystore.jks" />

Try switching sslProtocol to "TLSv1,TLSv1.1,TLSv1.2". You may want to prepend SSLv2Hello to that for the openssl / curl test cases as some older libraries will want to send the old hello before up-negotiating.

Ubuntu 14, tomcat 7, java 7

What exact versions of Tomcat and of Java 7?

https://wiki.apache.org/tomcat/FAQ/Linux_Unix#Q5

The server.xml is this:

You are not mentioning what connector implementation you are using, but as AprLifecycleListener is removed from your server.xml it means that you are using "Http11Protocol" (aka "BIO") implementation. Good. It should be visible from your startup logs. (If you had used "APR" implementation, your configuration would had to be quite different).

curl -Iv https://www.ourserver.com/ourapp:8443

An odd URL. The port number should follow the server name, https://www.ourserver.com:8443/ourapp.

Though message "* Rebuilt URL to: https://www.ourserver.com:8443/" from curl looks like it knows how to deal with that.

error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Tomcat 7.0.57 and later has SSLv3 protocol disabled by default because of published SSL vulnerability (CVE-2014-3566 POODLE). That filtering of SSL protocols disables all protocols hat have "SSL" in their name, including SSLv2Hello. Apparently curl tries to connect with SSLv2Hello handshake here ("SSL23" in its message).

You need a client that supports TLS protocol (TLS 1.0, 1.1 or 1.2).

https://wiki.apache.org/tomcat/Security/POODLE
https://wiki.apache.org/tomcat/Security/Ciphers

Try switching sslProtocol to "TLSv1,TLSv1.1,TLSv1.2". You may want to prepend SSLv2Hello to that for the openssl / curl test cases as some older libraries will want to send the old hello before up-negotiating.

Good, but with one correction: the above is a value for sslEnabledProtocols attribute (not sslProtocol).

You can try connecting with OpenSSL,

openssl s_client -connect hostname:8443

openssl s_client -connect hostname:8443 -tls1

OpenSSL Doc: https://openssl.org/docs/apps/s_client.html

Tomcat 7 Configuration reference: http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_BIO_and_NIO

I had the same problem, and i solved it.

Please add a password to your keystore - and it works!

It need to create cert at .jks format file.

Key Generation

1) Enter key generation command at Java

keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore your_domain_name.jks

2) Run the CSR command

keytool -certreq -alias server -file csr.txt -keystore your_domain_name.jks

3) Submit crs.txt at Godaddy.com

Installation Instructions

1) Convert your certificate files. It needs the openssl (https://www.openssl.org/) Run the command : xxx.pem is from certificate files (your domain name cert)

openssl crl2pkcs7 -nocrl -certfile xxx.pem -out your_file_name.p7b -certfile gd_bundle-g2-g1.crt

2) Run the Install command at Java

keytool -import -trustcacerts -alias server -file your_file_name.p7b -keystore your_domain_name.jks

4) Open the server.xml file at ..\Apache Software Foundation\Tomcat 7.0\conf. Update the connector setting.

<Connector 
       port="443"  
       scheme="https" 
       secure="true" 
       SSLEnabled="true" 
       clientAuth="false"
       sslProtocol="TLS" 
       keyAlias="server"  
       keystoreFile="/home/user_name/your_domain_name.jks"
       keystorePass="your_keystore_password"
 />

5) You are welcome.