From dev-return-34968-apmail-harmony-dev-archive=harmony.apache.org@harmony.apache.org Sat Sep 06 19:10:18 2008 Return-Path: Delivered-To: apmail-harmony-dev-archive@www.apache.org Received: (qmail 74638 invoked from network); 6 Sep 2008 19:10:18 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 6 Sep 2008 19:10:18 -0000 Received: (qmail 62858 invoked by uid 500); 6 Sep 2008 19:10:15 -0000 Delivered-To: apmail-harmony-dev-archive@harmony.apache.org Received: (qmail 62500 invoked by uid 500); 6 Sep 2008 19:10:14 -0000 Mailing-List: contact dev-help@harmony.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@harmony.apache.org Delivered-To: mailing list dev@harmony.apache.org Received: (qmail 62489 invoked by uid 99); 6 Sep 2008 19:10:14 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 06 Sep 2008 12:10:14 -0700 X-ASF-Spam-Status: No, hits=0.2 required=10.0 tests=SPF_PASS,WHOIS_MYPRIVREG X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of t.p.ellison@gmail.com designates 74.125.78.146 as permitted sender) Received: from [74.125.78.146] (HELO ey-out-1920.google.com) (74.125.78.146) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 06 Sep 2008 19:09:13 +0000 Received: by ey-out-1920.google.com with SMTP id 4so425478eyg.24 for ; Sat, 06 Sep 2008 12:09:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :x-enigmail-version:content-type:content-transfer-encoding; bh=ruJ7M/pDImCJKCyVqv1DKscQL0vwlx1CNgXVopaUxj0=; b=AfznVcUSpVS2ihc5Ec3a8u7M17GeZk38BsUuyMRGomFiOf5fOG+DSlVcu2D29h1awK 70NJagE8UjK4QPOGAFRrSeB0o557/lXKe+JT1eUh1H0AzeaxGLaRNkzu65pChHASPCqq C0Zx4vYosZaQkIViSJ4lN7VEdyqWUqwzqv1pg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; b=fcwG76dK7s1vZLGb1UCZjePsTCs+dMpCsYP68V/d/DlpwQ80vqClIg8sE02Ivg6sD3 Fb+pxxCNm/ZC6dH8INNQiO3EMi+DxqLMS45lBEOAnUQEKGWv0k8LAkUSahX0s0yb+vXs ilM2xYPBSj/qkZ9hTlffRPCGg0C4XZyokbaVk= Received: by 10.210.18.8 with SMTP id 8mr5373362ebr.186.1220728182944; Sat, 06 Sep 2008 12:09:42 -0700 (PDT) Received: from ?192.168.0.5? ( [86.111.176.100]) by mx.google.com with ESMTPS id c24sm3749071ika.4.2008.09.06.12.09.40 (version=SSLv3 cipher=RC4-MD5); Sat, 06 Sep 2008 12:09:42 -0700 (PDT) Message-ID: <48C2D571.80400@gmail.com> Date: Sat, 06 Sep 2008 20:09:37 +0100 From: Tim Ellison User-Agent: Thunderbird 2.0.0.16 (Windows/20080708) MIME-Version: 1.0 To: dev@harmony.apache.org Subject: Re: Internal error upon seeing the "Camellia" cipher suites in the SSL handshake message References: <48BE2B5F.1050003@gmail.com> In-Reply-To: <48BE2B5F.1050003@gmail.com> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Please try again with SVN revision r692675 or later. Works for me now. Regards, Tim Suresh Kumar J wrote: > Hi > > I have a web-application which runs on Apache-Tomcat v6.0.13. Am using > theApache Harmony JRE(v6). When I try to launch the application on the > latest FireFox v3.0.1 browser, tomcat errors out with the following > message in the catalina.out : > -------------------------------------------------- > Aug 29, 2008 2:52:52 PM org.apache.tomcat.util.net.JIoEndpoint$Acceptor run > SEVERE: Socket accept failed > Throwable occurred: java.net.SocketException: SSL handshake error > javax.net.ssl.SSLException: INTERNAL ERROR > at > org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:150) > > at > org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310) > at java.lang.Thread.run(Thread.java:657) > -------------------------------------------------- > > After debugging the issue, it turns out to be that the Apache-Tomcat is > not able to handle the full set of cipher suites implemented in the > latest FireFox v3.0.1. > dhe_dss_camellia_128_sha (0x000044) > dhe_dss_camellia_256_sha (0x000087) > dhe_rsa_camellia_128_sha (0x000045) > dhe_rsa_camellia_256_sha (0x000088) > rsa_camellia_128_sha (0x000041) > rsa_camellia_256_sha (0x000084) > > In order to make my web application to work with FireFox browser > v3.0.1), the above mentioned cipher suites needs to be "disabled" in the > browser via the "about:config" option. > > * Am having the default lib/security/java.security config of the Harmony > JRE. > * Below is the snippet of the server.xml config file of the tomcat server: > ---------------------------- > maxThreads="150" scheme="https" secure="true" > clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12" > keystoreFile="conf/my-key-store" keystorePass="abcd"/> > ---------------------------- > > * Why does Tomcat(when used with Harmony JRE) errors out if it doesn't > understand the some of the cipher suite. Instead it should gracefully > ignore them. > > * Have enclosed the packet capture which shows the SSL handshake message > from the client(frame$4) and the response from the tomcat server which > has the internal error(frame$6). > > * Here is the bug filed no apache-tomcat which got rejected saying the > issue was not actually of Tomcat's and of Harmony JRE. > https://issues.apache.org/bugzilla/show_bug.cgi?id=45730 > > * Here was my posting in the firefox-security-dev mailing list: > http://www.nabble.com/FireFox-v3.0.1-of-Windows-uses-SSLv2-Record-Layer-even-when-SSLv2-is-disabled-td19239646.html > > > * Here was my posting in the tomcat-user mailing list: > http://www.nabble.com/How-to-make-to-Apache-Tomcat-6.0.13-to-support-all-of-SSLv2-SSLv3-and-TLS-protocols-tt19228675.html > > > Any inputs on this issue would be appreciated. > > Thanks, > Suresh >