tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chirag Dewan <chirag.dewa...@yahoo.in>
Subject Re: Issue while using SSL with Embedded Tomcat 6.0.37
Date Wed, 09 Oct 2013 06:16:13 GMT
Hi Chris,

Thanks for the code,it helped a lot.

Now,using that code on my server machine I found out that TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
is not even in the defaults ciphers for jdk1.6.0_39. Isn't this a strange behaviour? Server
can only select available ciphers,I suppose.

Thanks

Chirag





On Tuesday, 8 October 2013 9:10 PM, Christopher Schultz <chris@christopherschultz.net>
wrote:
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Chirag,

On 10/8/13 6:01 AM, Chirag Dewan wrote:
> I am using Embedded Tomcat 6.0.37. I have a servlet which is
> running over HTTPS using SSL Connector. I have a Java Keystore with
> Customer Certificate imported in it.
> 
> Now,there is a HTTP Client on the customers end which connects
> with the servlet over HTTPS(I have very little information about
> the customers client configuration)
> 
> The problem we are facing is:
> 
> For the first request from Client,the SSL handshaking fails.

How, specifically? What do you observe on the server? What do you
observe on the client?

> From second request, handshaking is completed successfully and the 
> requests are processed. I have observed when Server selects 
> TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA as the cipher suite, only then
> the Server sends a reset to the client and the handshaking fails.
> On second request, with same cipher suite,it works fine.

So the first request and second request seem to both negotiate the
same cipher suite (TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA) but the first
one fails?

> Can anyone assist me in understanding why it is failing for the
> first time? And is there any way I can force the Tomcat not to
> select this cipher suite? Or any other way that I can resolve this
> issue.

See the Connector documentation, specifically the "cipherSuites"
attribute. Unfortunately, Tomcat's cipherSuites configuration is only
explicit... you can't say something like "defaults without

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA".

See this thread in the archives for a short program that will dump-out
the available cipher suites and indicates which ones are available by
default in your environment (note that the results will change for
every different version of Java you use):
http://markmail.org/message/zn4namfhypyxum23

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSVCdnAAoJEBzwKT+lPKRYM9cP/3GztDeXBYguwJ/Q+YBnNSea
NzEQuJXFmaSJhhhCP4NMrHz0Fq4zZlKu9khxicK4gwcfGuCZ0i2BkNx1jZh9wgOF
aedSeZinpXtF5L+EiWUCm9Xz2yPHuX40+VIaW9X4/TfG+DMcDVvFFAH1onjHQ5im
KECrmK5ratXmVfm9o37SrXItoqNFLqk70mxcZlVec40fp7nu3Bn2ReMIKcSCSXcb
Sr97cHlRD8yMBqTn42RNTSzfFfJ/5TFNzmwXzlrSJcWO+6mpKYmXXdbJc3voNd3W
e+ZWmJQheJEVm6n86z2PMqwJyBtaiNFRxOxbeXHtU1BwemhSAP1EVPtZSUKQ5k+4
vHbZ4CfhuSgM6IaoTZjqqZkvch4POTLUWPArFJeEyOS8p9vayNoVhFectMtutR4O
zHxanjckpCgJYp5w82jRaZ4Xs9SojTedHn6gSElxZK94fg9H4dL6g43h+zSpnuJC
0KF4U47FMklZJBikjDXbkcH3YY8Bd+e+5JMl2Uu+TyjG12Cj6wxyOKM4ubAF7pMO
IZbs9WEgHx2Oj515RgFNQGF8uXLysLo4uBiCbTEvFQ3T/eGrSzvYi6kLKi/izPuc
TbSYcS1UEAiRKABPMRbUKDqmD6IOTOjbR66lamwTzNFvsyH+BhoaB1RVHy9TUC2U
YicDQSfyb9kfCnANiGwR
=pYDx
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message