tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
Date Sat, 04 Jan 2014 19:54:14 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Chuck,

On 1/3/14, 12:32 PM, Caldarale, Charles R wrote:
>> From: Mudassir Aftab [mailto:withmudassir@gmail.com] Subject: Re:
>> TLS is not working in 6.0.37, 7.0.42, 7.0.47
> 
>> <Connector port="8443" 
>> protocol="org.apache.coyote.http11.Http11AprProtocol" 
>> maxThreads="200" clientAuth="false" 
>> *SSLCipherSuite="ECDHE-ECDSA-AES128-SHA256"*
> 
> Why are there asterisks on that config line?  Remove them if
> they're actually present.  Don't try to get cute with formatting
> tricks like bolding text, since this is a plaintext mailing list.
> 
>> Jan 03, 2014 5:09:49 PM
>> org.apache.catalina.core.AprLifecycleListener initializeSSL INFO:
>> OpenSSL successfully initialized (OpenSSL 1.0.1 14 Mar 2012)
> 
> You need to update the OpenSSL version to 1.0.1e, which contains
> fixes for TLS 1.1 and 1.2 negotiation.  Once that's installed (and
> tcnative rebuilt), verify that the desired cipher is available with
> the "openssl ciphers" command.
> 
> You also need to confirm that your client is capable of TLSv1.2
> using the above cipher.  As stated before, getting a Wireshark or
> tcpdump trace of the negotiation would show what the client
> allows.

+1

You might want to look at sslscan, or use
https://www.ssllabs.com/ssltest/index.html to test your server. It can
tell you what ciphers are supported, etc. even if your client is
misbehaving.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSyGbmAAoJEBzwKT+lPKRYKg0P/RuZTz7GvueQubDpJHKddZS4
XTYvhSsW9SV2XvXMztBZWWB0NS0D9sRS98d5cdCndbY5LDfzvKLZZwHokR8XKP0N
JmVSvavkcpF3Sro6bayJrcholFhG7pZbsYmRULZKZREwKASzEoOAPcye4HyyjavD
VTUDqitJWLpCXjyuoxNQWCV+OieHy9oOwbTDs6cZgfvJcS2uHOhwmTaZBwxadvJV
E1JfxoXQghXlszDemY/ynbdCiX5NVqaeoNwzSYNshvusGdUoupr0/qQ2Zvd+hWt+
lPUxWZxftfRvLHmASDQPniAieCihDQLufnhFf0k82APlNaOgX+OTkqViOO5ceSin
H0bVA607b/mlUdf9WWmkydpWZdwH8ikiXUkJcNn1kzATaFRnnxnq1ID+A7efKqS1
byAZ1/3Bm7kpTQgcoiJenbfHxgtxZwrksfODl9c+HM54R7y/eUNYLjouoX47d3pb
CeYsYqhQmJtdYSF0Q2bRAlRBl9G8FBjXKhRAnDnkDc6V8FeYk2q/ege5ggrYYJUI
EJjKxmZwOEz3MfX7T8fkYFHCQ0JF7+tSkKpDJDhWV/yXjCvMLJOE4eY1I15byuzC
6StssnHyusbflJTEg8D9qx4WcUgWYeRn/hyQmeU99+RwNhkP/hhPWH3LgA6gcz57
eKjZ56wJPsVmVVGerp2f
=2O14
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message