Newest Chrome 53.0.2785.89 m (64-bit) rejects the SSL certificate


#1

I have a letsencrypt certificate installed on our Tomcat server for more than month with no problem. But now the newest Chrome 53.0.2785.89 m (64-bit) rejects the SSL certificate with message ‘ERR_SSL_OBSOLETE_CIPHER’. I renewed the certificate but Chrome problem remains the same. Any idea whats the problem and how to fix it? In other browsers its working still fine see our web site https://tomcat.netnotes.cz/netnotes/app


#2

From the error message the issue is with the cipher - not the certificate.

A good website for suggesting the ciphers / config is https://mozilla.github.io/server-side-tls/ssl-config-generator/

From a quick look at the tomcat documentation
The ciphers attribute controls the ciphers used for SSL connections. By default, the default ciphers for the JVM will be used. This usually means that the weak export grade ciphers will be included in the list of available ciphers. Secure environments will normally want to configure a more limited set of ciphers. This attribute accepts the OpenSSL syntax for including/excluding cipher suites. As of 2014-11-19, with standalone Tomcat 8 and Java 8, Forward Secrecy can be achieved by specifying only TLS protocols using the sslEnabledProtocols attribute (above) and excluding non-DH ciphers, and weak/broken ciphers. The Qualys SSL/TLS test is a useful tool for configuring these settings.


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.