?
Solved

Tomcat SSL behind a firewall

Posted on 2011-04-21
3
Medium Priority
?
1,923 Views
Last Modified: 2013-12-02
I have a Tomcat 7 acting as a web server on a windows 2008 server.  It is using a certificate from GoDaddy for SSL.  Everything works fine internally.  I have a Watchguuard 1250 NAT rule pointing to the internal address.  DNS resolves just fine.  When trying to access the site from an external location, the web pages fail to load using IE8, Firefox loads okay, and Chrome gives "Err 113 ERR_SSL_VERSION_OR_CIPHER_MISMATCH".  So I am inclined to believe that it has something to do with the SSL and Watchguard.  I have a similar server using a self-signed certificate with no problem

          <Connector protocol="org.apache.coyote.http11.Http11AprProtocol"
                   port="8080" maxThreads="200"
                   scheme="https" secure="true" SSLEnabled="true"
                   SSLCertificateFile="C:\keystore\certfile.crt"
                   SSLCertificateKeyFile="C:\keystore\keyfile"
                   SSLPassword="hpassword"
                   SSLCertificateChainFile = "C:\keystore\chainfile"
                   keyAlias="keyalias"
                   SSLProtocol="TLSv1"/>

-Daniel

0
Comment
Question by:danielq
3 Comments
 
LVL 9

Accepted Solution

by:
Brian earned 1000 total points
ID: 35445919
Is there a policy, outgoing especially, that is stripping any packet information? Most proxy policies will at least change the machine name. This will then not match the name on the cert.
0
 
LVL 14

Assisted Solution

by:setasoujiro
setasoujiro earned 1000 total points
ID: 35720367
did you check the policy in watchguard?
if you chose a proxy, you can select either "https client" or "server" as proxy action?
0
 

Author Closing Comment

by:danielq
ID: 35720553
Yes I chaned my rule from a proxy to a tcp/udp packer rule
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most of the developers using Tomcat find it easy to configure the datasource in Server.xml and use the JNDI name in the code to get the connection.  So the default connection pool using DBCP (or any other framework) is made available and the life go…
We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Suggested Courses

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question