Tomcat 8 ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Question

I have bought wildcard SSL from ssl2buy. installed it on my Tomcat 8 - server 2012 server, there I run my Java applications. After I insttaled the certificate I receive such error message : ERR_SSL_VERSION_OR_CIPHER_MISMATCH

support tolled me:

"Cipher and protocol issue is not related to SSL certificate, its about protocol and cipher settings. You should update the correct cipher security settings."

after telling me this support go offline and my ticket that I opened is not answered :D So maybe someone here will be able to help me.

this steps I used to create jks file:

keytool -genkey -alias ge.shemo -keyalg RSA -keystore shemo_wildcard

keytool -certreq -keyalg RSA -alias ge.shemo -file irakli.csr -keystore shemo_wildcard

keytool -importcert -file shemo_Wildcart.cer -keystore shemo_wildCard.jks -alias "ge.shemo"

Can someone please tell me what I have done wrong? or what I need to change?

UPDATED

I started everything from the begining:

Here are the steps I followed.

1. bought certificate from ssl2buy.com

2. generated csr :

   keytool -keysize 3096 -genkey -alias *.shemo.ge -keyalg RSA -keystore tomcat8.keystore
   

pass: TesT123

keytool -certreq -keyalg RSA -alias *.shemo.ge -file tomcat8.csr -keystore tomcat8.keystore

Generated csr:

-----BEGIN NEW CERTIFICATE REQUEST-----
MIID4TCCAkYCAQAwZjELMAkGA1UEBhMCR0UxEDAOBgNVBAgTB3RiaWxpc2kxEDAOBgNVBAcTB3Ri
aWxpc2kxDjAMBgNVBAoTBXNoZW1vMQ4wDAYDVQQLEwVzaGVtbzETMBEGA1UEAwwKKi5zaGVtby5n
ZTCCAaUwDQYJKoZIhvcNAQEBBQADggGSADCCAY0CggGEAODEEKcJJ7AccanmeIIpAAG2ES6hCAIM
eiFe7WfJtFydDvGAUS9DhKpwW1CtYT3i0vhmbYZxxGc5FK9bHYtHwPtV/Yhptqi+xzk1eFkZxcvo
7dLNQGo73PfqPE1ikHrlyTffYB+/JEbBglxsem3tfjPpnb+SoiJ4sq5RFNB/Zm45etnlpdEnsRxC
dAEIUXzCaCnfR6nB5547BMOqmqTJxwB/BRoYLDmZoloJ/PsPTMIruKo7SzMQAkCLZ0J+S24Ihfei
95Y7n5XRxYdWOKBS5LUWJXpWEkiGmfP0ombV0l7YW2Fb/nJEjASLSNSliTE2yXRV4P8lT2BZbVL6
8O5UMCexD6Xa33n4HMn94ZsfnQuZSHF0YWYK9No6Cs2Tc9F0OR3dQlOj1Xht9Q5vmg/6B/ooRaJB
XmyJRPAxOe1WGzsr2ElbGu7CS9XMVY7VU+5fi3ojRbU1m0d7gLG6QEmuaR7Ti+wT28LUL44ezVtY
bOGW3peXxgw/SKm18D4ue+ArWTgwFQIDAQABoDAwLgYJKoZIhvcNAQkOMSEwHzAdBgNVHQ4EFgQU
BDAEJE34muDqTKxiUm30R+ZJW8cwDQYJKoZIhvcNAQELBQADggGEAHmu5dxjHgyh2BwDuqTN7l5t
oa+lQBQxDZBtZpduAulm3a2Dt8qELy3VF3IZLa2bWrG/91zoZWJCgCLva9uq7Yq9aUtJau0CebnJ
eWZ2XjiwJ/6ZvO12Y9Nc9oISFF9mswdXLOm7EHAXVfttRG4itgsNnTVziX2nynQPwN/1k9F4MysD
dVeBRyoY1QctWW1rj3cuZdz+vs4x9uWd+Wew4+GPzicq4hkGBLhvARP1WP0yUoU9+s60l6oqqFPY
prY/245XcXCEbiqtlMrnKFJ0quokpIgmb03ak1AyqDNTy6L1z1mKl3suQd0VR8TzLDEYp8j+lq3t
usOhT4SDMp4fPRcBCfFlmjpvGZ2lWZ3ewadldxifbG/xC4mAyLHHj9Px+/sU44gQ6qOk2rhYGI16
nsaHTADSYUfKOCzcZB7kPbG6rZojVLL8dpRNCfJdZWZXPRjMHBQWkdGaU6MbG2LUOKp5oB540QKX
3I/QR6g8fgN4JCuzAjxxbxlG42y4N5hsWhnt2Q==
-----END NEW CERTIFICATE REQUEST-----

Received certificate via Email. Created file called it tomcat8.cer with fllowing code

Received certificate:

-----BEGIN CERTIFICATE-----
MIIFSzCCBDOgAwIBAgISESHnxxQ9Z9905TDRC/T5a1nPMA0GCSqGSIb3DQEBCwUA
MEwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSIwIAYD
VQQDExlBbHBoYVNTTCBDQSAtIFNIQTI1NiAtIEcyMB4XDTE2MDIyMjE1NDIwNVoX
DTE3MDIyMDA3MzcyNFowODEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh
dGVkMRMwEQYDVQQDDAoqLnNoZW1vLmdlMIIBpTANBgkqhkiG9w0BAQEFAAOCAZIA
MIIBjQKCAYQA4MQQpwknsBxxqeZ4gikAAbYRLqEIAgx6IV7tZ8m0XJ0O8YBRL0OE
qnBbUK1hPeLS+GZthnHEZzkUr1sdi0fA+1X9iGm2qL7HOTV4WRnFy+jt0s1Aajvc
9+o8TWKQeuXJN99gH78kRsGCXGx6be1+M+mdv5KiIniyrlEU0H9mbjl62eWl0Sex
HEJ0AQhRfMJoKd9HqcHnnjsEw6qapMnHAH8FGhgsOZmiWgn8+w9Mwiu4qjtLMxAC
QItnQn5LbgiF96L3ljufldHFh1Y4oFLktRYlelYSSIaZ8/SiZtXSXthbYVv+ckSM
BItI1KWJMTbJdFXg/yVPYFltUvrw7lQwJ7EPpdrfefgcyf3hmx+dC5lIcXRhZgr0
2joKzZNz0XQ5Hd1CU6PVeG31Dm+aD/oH+ihFokFebIlE8DE57VYbOyvYSVsa7sJL
1cxVjtVT7l+LeiNFtTWbR3uAsbpASa5pHtOL7BPbwtQvjh7NW1hs4Zbel5fGDD9I
qbXwPi574CtZODAVAgMBAAGjggG2MIIBsjAOBgNVHQ8BAf8EBAMCBaAwSQYDVR0g
BEIwQDA+BgZngQwBAgEwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFs
c2lnbi5jb20vcmVwb3NpdG9yeS8wHwYDVR0RBBgwFoIKKi5zaGVtby5nZYIIc2hl
bW8uZ2UwCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
PgYDVR0fBDcwNTAzoDGgL4YtaHR0cDovL2NybDIuYWxwaGFzc2wuY29tL2dzL2dz
YWxwaGFzaGEyZzIuY3JsMIGJBggrBgEFBQcBAQR9MHswQgYIKwYBBQUHMAKGNmh0
dHA6Ly9zZWN1cmUyLmFscGhhc3NsLmNvbS9jYWNlcnQvZ3NhbHBoYXNoYTJnMnIx
LmNydDA1BggrBgEFBQcwAYYpaHR0cDovL29jc3AyLmdsb2JhbHNpZ24uY29tL2dz
YWxwaGFzaGEyZzIwHQYDVR0OBBYEFAQwBCRN+Jrg6kysYlJt9EfmSVvHMB8GA1Ud
IwQYMBaAFPXN1TwIUPlqTzq3l9pWg+Zp0mj3MA0GCSqGSIb3DQEBCwUAA4IBAQB6
stii/rEwoUTd2dIqnwmYB6k6hH9Nn8VAsd1sLYNmK+LctDGLqc+uYyWcFbsDcWYA
aVd8OtxFLZWjubvj/RH+qQAonPNj2Q7zdk5KW05EaMtezGLPiPq1KT2Zw83xj20y
+lHRa+aZL7VoTgO0Ud86rpzKnVNHwG90k5HR9LtnsWNc56xzXOul/ws1d6gSGWi2
YOkMrPaDwJst84+hxPOv9ZHXJNos6QmX8eJXlQfIeRcFwc5/A3ghCvMO0Z3NdYdu
f7Lk92M/kPBz0aDgBSD9fH0lR1PcuPBDe972FwVieN7ynup2RVKPrpW13t1F2RmI
Xyk5F2qTpY588dTiMihC
-----END CERTIFICATE-----

Then did following :

keytool -import -alias root -keystore tomcat8.keystore -trustcacerts -file tomcat8.cer

keytool -import -alias intermed -keystore tomcat8.keystore -trustcacerts -file tomcat8.cer

keytool -importcert -file tomcat8.cer -keystore twix.jks -alias *.shemo.ge

Here is my connector:

 Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS" keystoreFile ="C:\Program Files (x86)\Java\jdk1.7.0_79\bin\twix.jks"  keystorePass="TesT123"/>

After all I restarted the server and still receive this eror:

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Answer 1

Let me try to give a general explanation for this issue:

A server usually supports different SSL protocol versions (SSLv3, TLS1.0, TLS1.1, TLS1.2), and a bunch of different ciphers.

During the handshake client and server negotiate one protocol version and one cipher to be used.

If there is a mismatch, that means your server is configured to only support TLS1.2, but your client is only capable of TLS1.0 for example, or that the client and server have not a single cipher that both support.

I never used Tomcat, but a quick look at https://tomcat.apache.org/tomcat-8.0-doc/security-howto.html tells me that the sslEnabledProtocols and ciphers arguments might be of interest to you:

The sslEnabledProtocols attribute determines which versions of the SSL/TLS protocol are used. Since the POODLE attack in 2014, all SSL protocols are considered unsafe and a secure setting for this attribute in a standalone Tomcat setup might be sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"

The ciphers attribute controls the ciphers used for SSL connections. By default, the default ciphers for the JVM will be used. This usually means that the weak export grade ciphers will be included in the list of available ciphers. Secure environments will normally want to configure a more limited set of ciphers. This attribute accepts the OpenSSL syntax for including/excluding cipher suites. As of 2014-11-19, with standalone Tomcat 8 and Java 8, Forward Secrecy can be achieved by specifying only TLS protocols using the sslEnabledProtocols attribute (above) and excluding non-DH ciphers, and weak/broken ciphers. The Qualys SSL/TLS test is a useful tool for configuring these settings.

But since by default it already uses very conservative/compatible settings, I cannot really tell where the source of your issue is, maybe you have some global setting override somewhere. Also you have not mentioned which client you used to get that specific error code. Maybe just remove sslProtocol="TLS", assuming your client only supports SSLv3.

Answer 2

The answer @Nappy gave is correct and very useful. However it did not solve my problem, I got the same error message and in my case it was due to the private key not being loaded to my keystore. Because I always have a hard time installing SSL certificates to Tomcat on Windows, I found a solution for myself which might help others.

Because I have a wildcard certificate with the private key included (*.pfx). You can just install that certificate, add the path to that certificate in the server.xml and add the corresponding password to the file. Also add a line to declare the type of keystore between File and Pass:

keystoreFile="C:\Users\Your\Certificate.pfx"
keystoreType="pkcs12"
keystorePass="Password123" sslProtocol = "TLS"  

To me this is way easier than installing everything to the Tomcat keystore with the keytool.

Hope this helps!

Answer 3

I had this problem recently, here is another possible solution.

My problem was in fact due to 2 things:

1. Update Java 6, which doesn't support TLS 1.2, to Java 8 (1.8.0_333)
2. Modified the server.xml of my Tomcat to force TLSv1.2
   • Before: clientAuth="false" sslProtocol="TLS"
   • After: clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2"

Hope this might help someone that is having a similar problem resolve it quicker than I did .

Cheers.

Answer 4

In Media Services the language setting for the AudioAnalyzerPreset is there to help describe the input. According to https://docs.microsoft.com/en-us/azure/media-services/latest/analyze-video-audio-files-concept, "Specify the language for the audio payload in the input using the BCP-47 format of 'language tag-region'." Media Services does not offer translation. For that you could use something like Video Indexer (https://videoindexer.ai) that generates VTT files and translates them as well.