tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Tomcat does not accept connections from Safari on iPad vs an SSL connector with JSSE ciphers
Date Tue, 05 Mar 2013 00:46:10 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Tim,

On 3/3/13 4:18 PM, Tim Whittington wrote:
> On Tue, Feb 19, 2013 at 10:59 AM, Giuseppe Sacco 
> <giuseppe@eppesuigoccas.homedns.org> wrote: [...]
> 
>> I listed all providers here: 
>> http://centrum.lixper.it/~giuseppe/ipad-tomcat-list-ciphers-no-bouncycastle.html
>>
>> 
as you may see, a few of them are TLS_RSA and TLS_DHE:
>> *       TLS_RSA_WITH_AES_128_CBC_SHA *
>> TLS_RSA_WITH_AES_256_CBC_SHA *
>> TLS_DHE_DSS_WITH_AES_128_CBC_SHA *
>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA *
>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA *
>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA
>> 
>> They are also listed as "default" ciphers, so -- if I understood
>> what default means -- they should not be enabled explicitly.
>> 
>> They overlap with those client ciphers: 
>> TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA 
>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA 
>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA
>> 
>> Is there any possibility that some of those server ciphers are
>> disabled because of the algorithm used in the server certificate?
>> Its signature algorithm is SHA1withDSA. I created it with this
>> command line: keytool -genkeypair -alias tomcat -keystore
>> ~tomcat6/.keystore
> 
> Yes. If the server keys are DSA, then only cipher suites using
> DSS/*DSA will be negotiated. In this case, the only DSS cipher
> suite that your client appears to support is
> TLS_DHE_DSS_WITH_NULL_SHA, which isn't supported by Java 6 or 7.

Good catch. I recently tried to get a DSA key to work *at all* with
Apache httpd and I simply could not. I didn't try too hard, honestly,
because I didn't really care.

My recommendation would be to stick with an RSA key unless you have
some specific reason not to use one (and I'd like to hear that reason).

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEAREIAAYFAlE1QFIACgkQ9CaO5/Lv0PCdOQCdFA1+Yp3tgWYuzZp39wndEwyF
aUkAmgLH2S+B6sH/ilgAJkCSsSTI/2xm
=JDLH
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message