Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Stash SSL

Dave44
Dave May 14, 2013

Hi,

I'm trying to setup access via https over port 443 (running Windows Server 2012)

Note - I supplied a .key file from our CA that covers a wildcard *.domain.com.au

I have the following in server.xml

<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
                   maxThreads="150" scheme="https" secure="true"
                   clientAuth="false" sslProtocol="TLS" 
		keystoreFile="E:\Resources\StashHome\.keystore" 
		keystorePass="PASSWORDHERE" />

Catalina is showing me the following:

May 15, 2013 12:59:18 PM org.apache.catalina.startup.ClassLoaderFactory validateFile
WARNING: Problem with directory [E:\Resources\Stash\bin\${stash.home}\lib], exists: [false], isDirectory: [false], canRead: [false]
May 15, 2013 12:59:18 PM org.apache.catalina.startup.ClassLoaderFactory validateFile
WARNING: Problem with directory [E:\Resources\Stash\bin\${stash.home}\lib], exists: [false], isDirectory: [false], canRead: [false]
May 15, 2013 12:59:19 PM org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: E:\Resources\Stash\lib\native;E:\Resources\StashHome\lib\native
May 15, 2013 12:59:19 PM org.apache.tomcat.util.digester.SetPropertiesRule begin
WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matching property.
May 15, 2013 12:59:19 PM org.apache.tomcat.util.digester.SetPropertiesRule begin
WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a matching property.
May 15, 2013 12:59:20 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-80"]
May 15, 2013 12:59:20 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-443"]
May 15, 2013 12:59:20 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 1395 ms
May 15, 2013 12:59:20 PM org.apache.catalina.core.StandardService startInternal
INFO: Starting service Catalina
May 15, 2013 12:59:20 PM org.apache.catalina.core.StandardEngine startInternal
INFO: Starting Servlet Engine: Apache Tomcat/7.0.32
May 15, 2013 1:00:23 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-80"]
May 15, 2013 1:00:23 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-443"]
May 15, 2013 1:00:23 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 62878 ms


 Firefox gives me the following error:


An error occurred during a connection to git01.

Cannot communicate securely with peer: no common encryption algorithm(s).

(Error code: ssl_error_no_cypher_overlap)


 


Chrome is similar


Error 113 (net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH): Unknown error.




How do I fix tihs?


Thanks!


 

					
				
			
			
			
				
			
			
			
			
			
			
		

		
		
	

	
	


	

		
	
		

	
	

	
		

			
		
			
					
		
	
				
		
			
					
		
	
				
		
	
		

	
	


		

	

		

			

	
		

			
		
			
Answer
		
			

     Watch  

		
			

      Like    Be the first to like this  


		
			
    
		
			
2312 views
		
	
		

	
	

	
		

			
		
			
		
	
		

	
	


		

	



		

	

	

	






		
			











  


  

    

      2 answers
    


      

  
    
  
        1 accepted
      



  

  


  





      



        



	

	

	 
	
	
	 
	
	

	

	

	
		

			

			
	

	

		


	

	
		

			

				
					
		

			
 

			

				

					

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

			

	

		

			

	
		
			




 
      
 2  votes  
 
 
     Answer accepted  
 
 
 
 
  
 
 
 
 

		
			

 
 Dave44  
 
 Dave  May 14, 2013         
 

		
	
	


		

	

		

			

	
		
			

		

	
		

			
				
					
					
						
Worked around this by expoting my key from my local CA.


Then used  OpenSSL to convert and create a p12 type keystore.


Server.xml needed a change as well:




<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
                   maxThreads="150" scheme="https" secure="true"
                   clientAuth="false" sslProtocol="TLS" 
		keystoreType="PKCS12" 
		keystoreFile="StashHome\moo.domain.com.p12"
		keystorePass="PASSWORDHERE"

	/>


 


 

					
				
			
			
			
				
			
			
			
			
			
			
		

		
		
	

	
	


	

		
	
	


		

	

		

			
		

	



		

	
				

			

			
 

		

	
				
				
			

		

	

	

	



	

	


	

	
	
	
		

			

	
		

			

			
	

	

		


	

	
				View More Comments
			

	

	


		

	

	
		

	       	
	 

	
		
	

	       	
		

	



        


              



	

	

	 
	
	
	 
	
	

	

	

	
		

			

			
	

	

		


	

	
		

			

				
					
		

			
 

			

				

					

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

			

	

		

			

	
		
			
		
			

 
 Sascha Schwegelbauer  
 
 Sascha Schwegelbauer  May 3, 2016         
 

		
	
	


		

	

		

			

	
		
			

		

	
		

			
				
					
					
						
Thanks a lot - this works perfectly.
Atlassian should really overhaul their confluence/SSL documentation..

					
				
			
			
			
				
			
			
			
			
			
			
		

		
		
	

	
	


	

		
	
	


		

	

		

			
		

	



		

	
				

			

			
 

		

	
				
				
			

		

	

	

	



	

	


	

	
	
	

	
		

	       	
	 

	
		
	

	       	
		

	



  Like         
              


    

      Reply
    

      
 


      



        



	

	

	 
	
	
	 
	
	

	

	

	
		

			

			
	

	

		


	

	
		

			

				
					
		

			
 

			

				

					

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

			

	

		

			

	
		
			




 
      
 0  votes  
 
 
 
 
 
  
 
 
 
 

		
			

 
 C_ Faysal  
 
 C. Faysal 
 Rising Star 
 
 
  
 Rising Star 
 
 Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders. 
 
 Get recognized 
 
 
   May 14, 2013         
 

		
	
	


		

	

		

			

	
		
			

		

	
		

			
				
					
					
						
Hi.


i think you shouldn't add 443 as a connector port there.


 


in my server.xml i've deactivated any other connector and just kept this one:


<Connector executor="tomcatThreadPool"
                   port="7990" protocol="AJP/1.3"
                   connectionTimeout="20000"
                   redirectPort="8443" />


 


in my environment HTTPS comes from Apache like this:


<VirtualHost $MY_STASH_HOST:443>

SSLEngine on
   SSLProtocol all -SSLv2
   SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM

  SSLCertificateFile $CERTFILE_HERE 
  SSLCertificateKeyFile $KEYFILE_HERE
   SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

    ServerAdmin $ADMIN_EMAIL
    ServerName $MY_STASH_HOST
    ServerAlias $MY_STASH_HOST

    ProxyRequests Off
    ProxyPreserveHost On

<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLProxyEngine On
ProxyRequests           Off
ProxyPreserveHost       On
ProxyPass           /       ajp://localhost:7990/ connectiontimeout=5 timeout=300
ProxyPassReverse    /       ajp://localhost:7990/
<Location />
    Order allow,deny
    Allow from all
    </Location>

</VirtualHost>


 


 


 

					
				
			
			
			
				
			
			
			
			
			
			
		

		
		
	

	
	


	

		
	
	


		

	

		

			
		

	



		

	
				

			

			
 

		

	
				
				
			

		

	

	

	



	

	


	

	
	
	
		

			

	
		

			

			
	

	

		


	

	
				View More Comments
			

	

	


		

	

	
		

	       	
	 

	
		
	

	       	
		

	



        


              



	

	

	 
	
	
	 
	
	

	

	

	
		

			

			
	

	

		


	

	
		

			

				
					
		

			
 

			

				

					

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

			

	

		

			

	
		
			
		
			

 
 C_ Faysal  
 
 C. Faysal 
 Rising Star 
 
 
  
 Rising Star 
 
 Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders. 
 
 Get recognized 
 
 
   May 14, 2013         
 

		
	
	


		

	

		

			

	
		
			

		

	
		

			
				
					
					
						
but if your solution works for you and you don't plan to bring any other application behind 443 there is nothing to change.


just my recommendation to leave standard WEB Ports like 443 and 80 where they belong to (Webserver) and configure everything correctly.

					
				
			
			
			
				
			
			
			
			
			
			
		

		
		
	

	
	


	

		
	
	


		

	

		

			
		

	



		

	
				

			

			
 

		

	
				
				
			

		

	

	

	



	

	


	

	
	
	

	
		

	       	
	 

	
		
	

	       	
		

	



  Like         
              


    

      Reply
    

      
 
  
    
  




  




 
Suggest an answer
 
 Log in or Sign up to answer 
 
  
		
			

		
			

		
	
	


		

			

	
		
			
		
			
		
			

   
 Bitbucket 
  
 Bitbucket 
  
 
TAGS
   


		
			

		
			
  
 
 
 
 AUG Leaders 
 
 
 
Atlassian Community Events
 
 
 
 
 
     
     See all events