tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Whittington <t...@apache.org>
Subject Re: Tomcat does not accept connections from Safari on iPad vs an SSL connector with JSSE ciphers
Date Sun, 03 Mar 2013 22:18:03 GMT
On Tue, Feb 19, 2013 at 10:59 AM, Giuseppe Sacco
<giuseppe@eppesuigoccas.homedns.org> wrote:
[...]

> I listed all providers here:
> http://centrum.lixper.it/~giuseppe/ipad-tomcat-list-ciphers-no-bouncycastle.html
> as you may see, a few of them are TLS_RSA and TLS_DHE:
> *       TLS_RSA_WITH_AES_128_CBC_SHA
> *       TLS_RSA_WITH_AES_256_CBC_SHA
> *       TLS_DHE_DSS_WITH_AES_128_CBC_SHA
> *       TLS_DHE_DSS_WITH_AES_256_CBC_SHA
> *       TLS_DHE_RSA_WITH_AES_128_CBC_SHA
> *       TLS_DHE_RSA_WITH_AES_256_CBC_SHA
>
> They are also listed as "default" ciphers, so -- if I understood what
> default means -- they should not be enabled explicitly.
>
> They overlap with those client ciphers:
> TLS_RSA_WITH_AES_128_CBC_SHA
> TLS_RSA_WITH_AES_256_CBC_SHA
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA
>
> Is there any possibility that some of those server ciphers are disabled
> because of the algorithm used in the server certificate? Its signature
> algorithm is SHA1withDSA. I created it with this command line:
> keytool -genkeypair -alias tomcat -keystore ~tomcat6/.keystore

Yes.
If the server keys are DSA, then only cipher suites using DSS/*DSA
will be negotiated.
In this case, the only DSS cipher suite that your client appears to
support is TLS_DHE_DSS_WITH_NULL_SHA, which isn't supported by Java 6
or 7.

> A side note: is it possibile to put tomcat behind a web server and make
> the latter encrypt in SSL? This would imply that communication between
> the web server and tomcat would be in clear, but how do I  create the
> connector proxy* information? I may specify proxyName and proxyPort, but
> I cannot specify proxyProtocol. Is this right?
>

tim

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message