tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
Date Sat, 04 Jan 2014 21:08:59 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Musassir,

On 1/3/14, 5:27 PM, Mudassir Aftab wrote:
> Again, we have to submit this as a bug.....TLS 1.2 is not working
> in Tomcat

Tomcat 7.0.74
Oracle Java 1.7.0_45
tcnative 1.1.29 trunk (essentially 1.2.29

tcnative$ make clean
tcnative$ ./configure --with-apr=`which apr-config`
- --with-java-home=/usr/local/java-7 --with-ssl
tcnative$ time make
[...]
make[1]: Leaving directory
`/home/cschultz/projects/tomcat-native-1.1.x/native'

real	0m14.790s
user	0m15.300s
sys	0m1.840s

tcnative$ cp -d .libs/* $CATALINA_HOME/bin

tcnative$ cd $CATALINA_BASE

tomcat$ cat conf/server.xml

[...]
       <Connector port="8218"
               protocol="org.apache.coyote.http11.Http11AprProtocol"
               SSLEnabled="true"
               secure="true"
               scheme="https"
               SSLCertificateKeyFile="[...]"
               SSLCertificateFile="[...]"
               SSLCertificateChainFile="[...]"
               SSLProtocol="all"
               executor="tomcatThreadPool"
               URIEncoding="UTF-8" />
[...]

tomcat$ bin/startup.sh

[...]
Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener init
INFO: Loaded APR based Apache Tomcat Native library 1.1.30 using APR
version 1.4.6.
Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener init
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
[false], random [true].
Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener
initializeSSL
INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013)
[...]

tomcat$ openssl s_client -connect myhost:8218
[...]
verify error:num=19:self signed certificate in certificate chain
[...]
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES256-GCM-SHA384
[...]

*disconnect*

I can confirm that Mozilla Firefox 26 on Mac OS X 10.9 can connect
using TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA cipher.

Looks like TLS1.2 works just fine in the default configuration
(SSLProtocol="all" is the default).

Let's try your configuration. I'm only going to change SSLProtocol
from "all" to "TLSv1":

       <Connector port="8218"
               protocol="org.apache.coyote.http11.Http11AprProtocol"
               SSLEnabled="true"
               secure="true"
               scheme="https"
               SSLCertificateKeyFile="[...]"
               SSLCertificateFile="[...]"
               SSLCertificateChainFile="[...]"
               SSLProtocol="TLSv1"
               executor="tomcatThreadPool"
               URIEncoding="UTF-8" />

* Restart Tomcat*

tomcat$ openssl s_client -connect myhost:8218
[...]
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
[...]

Trying again with Firefox 26 give me
cipher=TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA.

Let's try restricting to only your cipher. Let's make sure that my
OpenSSL version supports it, first:

tomcat$ openssl ciphers -v | grep ECDHE-ECDSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)
Mac=SHA256


Yup. Let's configure it in Tomcat:

       <Connector port="8218"
               protocol="org.apache.coyote.http11.Http11AprProtocol"
               SSLEnabled="true"
               secure="true"
               scheme="https"
               SSLCipherSuite="ECDHE-ECDSA-AES128-SHA256"
               SSLCertificateKeyFile="[...]"
               SSLCertificateFile="[...]"
               SSLCertificateChainFile="[...]"
               SSLProtocol="TLSv1"
               executor="tomcatThreadPool"
               URIEncoding="UTF-8" />


$ openssl s_client -connect myhost:8218
CONNECTED(00000003)
139718306563752:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure:s23_clnt.c:741:

$ openssl s_client -tls1 -connect myhost:8218
CONNECTED(00000003)
139965071759016:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
alert handshake failure:s3_pkt.c:1256:SSL alert number 40
139965071759016:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
handshake failure:s3_pkt.c:596:

$ openssl s_client -tls1_1 -connect myhost:8218
CONNECTED(00000003)
140680041133736:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
version number:s3_pkt.c:337:

$ openssl s_client -tls1_2 -connect myhost:8218
CONNECTED(00000003)
139976873068200:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
version number:s3_pkt.c:337:

Firefox also fails with "ssl_error_no_cypher_overlap".

$ $ sslscan myhost:8218
                   _
           ___ ___| |___  ___ __ _ _ __
          / __/ __| / __|/ __/ _` | '_ \
          \__ \__ \ \__ \ (_| (_| | | | |
          |___/___/_|___/\___\__,_|_| |_|

                  Version 1.8.2
             http://www.titania.co.uk
        Copyright Ian Ventura-Whiting 2009

Testing SSL server myhost on port 8218

  Supported Server Cipher(s):
    Failed    SSLv3  256 bits  ECDHE-RSA-AES256-GCM-SHA384
    Failed    SSLv3  256 bits  ECDHE-ECDSA-AES256-GCM-SHA384
    Failed    SSLv3  256 bits  ECDHE-RSA-AES256-SHA384
    Failed    SSLv3  256 bits  ECDHE-ECDSA-AES256-SHA384
    Rejected  SSLv3  256 bits  ECDHE-RSA-AES256-SHA
    Rejected  SSLv3  256 bits  ECDHE-ECDSA-AES256-SHA
    Rejected  SSLv3  256 bits  SRP-DSS-AES-256-CBC-SHA
    Rejected  SSLv3  256 bits  SRP-RSA-AES-256-CBC-SHA
    Failed    SSLv3  256 bits  DHE-DSS-AES256-GCM-SHA384
    Failed    SSLv3  256 bits  DHE-RSA-AES256-GCM-SHA384
    Failed    SSLv3  256 bits  DHE-RSA-AES256-SHA256
    Failed    SSLv3  256 bits  DHE-DSS-AES256-SHA256
    Rejected  SSLv3  256 bits  DHE-RSA-AES256-SHA
    Rejected  SSLv3  256 bits  DHE-DSS-AES256-SHA
    Rejected  SSLv3  256 bits  DHE-RSA-CAMELLIA256-SHA
    Rejected  SSLv3  256 bits  DHE-DSS-CAMELLIA256-SHA
    Rejected  SSLv3  256 bits  AECDH-AES256-SHA
    Rejected  SSLv3  256 bits  SRP-AES-256-CBC-SHA
    Failed    SSLv3  256 bits  ADH-AES256-GCM-SHA384
    Failed    SSLv3  256 bits  ADH-AES256-SHA256
    Rejected  SSLv3  256 bits  ADH-AES256-SHA
    Rejected  SSLv3  256 bits  ADH-CAMELLIA256-SHA
    Failed    SSLv3  256 bits  ECDH-RSA-AES256-GCM-SHA384
    Failed    SSLv3  256 bits  ECDH-ECDSA-AES256-GCM-SHA384
    Failed    SSLv3  256 bits  ECDH-RSA-AES256-SHA384
    Failed    SSLv3  256 bits  ECDH-ECDSA-AES256-SHA384
    Rejected  SSLv3  256 bits  ECDH-RSA-AES256-SHA
    Rejected  SSLv3  256 bits  ECDH-ECDSA-AES256-SHA
    Failed    SSLv3  256 bits  AES256-GCM-SHA384
    Failed    SSLv3  256 bits  AES256-SHA256
    Rejected  SSLv3  256 bits  AES256-SHA
    Rejected  SSLv3  256 bits  CAMELLIA256-SHA
    Failed    SSLv3  256 bits  PSK-AES256-CBC-SHA
    Rejected  SSLv3  168 bits  ECDHE-RSA-DES-CBC3-SHA
    Rejected  SSLv3  168 bits  ECDHE-ECDSA-DES-CBC3-SHA
    Rejected  SSLv3  168 bits  SRP-DSS-3DES-EDE-CBC-SHA
    Rejected  SSLv3  168 bits  SRP-RSA-3DES-EDE-CBC-SHA
    Rejected  SSLv3  168 bits  EDH-RSA-DES-CBC3-SHA
    Rejected  SSLv3  168 bits  EDH-DSS-DES-CBC3-SHA
    Rejected  SSLv3  168 bits  AECDH-DES-CBC3-SHA
    Rejected  SSLv3  168 bits  SRP-3DES-EDE-CBC-SHA
    Rejected  SSLv3  168 bits  ADH-DES-CBC3-SHA
    Rejected  SSLv3  168 bits  ECDH-RSA-DES-CBC3-SHA
    Rejected  SSLv3  168 bits  ECDH-ECDSA-DES-CBC3-SHA
    Rejected  SSLv3  168 bits  DES-CBC3-SHA
    Failed    SSLv3  168 bits  PSK-3DES-EDE-CBC-SHA
    Failed    SSLv3  128 bits  ECDHE-RSA-AES128-GCM-SHA256
    Failed    SSLv3  128 bits  ECDHE-ECDSA-AES128-GCM-SHA256
    Failed    SSLv3  128 bits  ECDHE-RSA-AES128-SHA256
    Failed    SSLv3  128 bits  ECDHE-ECDSA-AES128-SHA256
    Rejected  SSLv3  128 bits  ECDHE-RSA-AES128-SHA
    Rejected  SSLv3  128 bits  ECDHE-ECDSA-AES128-SHA
    Rejected  SSLv3  128 bits  SRP-DSS-AES-128-CBC-SHA
    Rejected  SSLv3  128 bits  SRP-RSA-AES-128-CBC-SHA
    Failed    SSLv3  128 bits  DHE-DSS-AES128-GCM-SHA256
    Failed    SSLv3  128 bits  DHE-RSA-AES128-GCM-SHA256
    Failed    SSLv3  128 bits  DHE-RSA-AES128-SHA256
    Failed    SSLv3  128 bits  DHE-DSS-AES128-SHA256
    Rejected  SSLv3  128 bits  DHE-RSA-AES128-SHA
    Rejected  SSLv3  128 bits  DHE-DSS-AES128-SHA
    Rejected  SSLv3  128 bits  DHE-RSA-SEED-SHA
    Rejected  SSLv3  128 bits  DHE-DSS-SEED-SHA
    Rejected  SSLv3  128 bits  DHE-RSA-CAMELLIA128-SHA
    Rejected  SSLv3  128 bits  DHE-DSS-CAMELLIA128-SHA
    Rejected  SSLv3  128 bits  AECDH-AES128-SHA
    Rejected  SSLv3  128 bits  SRP-AES-128-CBC-SHA
    Failed    SSLv3  128 bits  ADH-AES128-GCM-SHA256
    Failed    SSLv3  128 bits  ADH-AES128-SHA256
    Rejected  SSLv3  128 bits  ADH-AES128-SHA
    Rejected  SSLv3  128 bits  ADH-SEED-SHA
    Rejected  SSLv3  128 bits  ADH-CAMELLIA128-SHA
    Failed    SSLv3  128 bits  ECDH-RSA-AES128-GCM-SHA256
    Failed    SSLv3  128 bits  ECDH-ECDSA-AES128-GCM-SHA256
    Failed    SSLv3  128 bits  ECDH-RSA-AES128-SHA256
    Failed    SSLv3  128 bits  ECDH-ECDSA-AES128-SHA256
    Rejected  SSLv3  128 bits  ECDH-RSA-AES128-SHA
    Rejected  SSLv3  128 bits  ECDH-ECDSA-AES128-SHA
    Failed    SSLv3  128 bits  AES128-GCM-SHA256
    Failed    SSLv3  128 bits  AES128-SHA256
    Rejected  SSLv3  128 bits  AES128-SHA
    Rejected  SSLv3  128 bits  SEED-SHA
    Rejected  SSLv3  128 bits  CAMELLIA128-SHA
    Failed    SSLv3  128 bits  PSK-AES128-CBC-SHA
    Rejected  SSLv3  128 bits  ECDHE-RSA-RC4-SHA
    Rejected  SSLv3  128 bits  ECDHE-ECDSA-RC4-SHA
    Rejected  SSLv3  128 bits  AECDH-RC4-SHA
    Rejected  SSLv3  128 bits  ADH-RC4-MD5
    Rejected  SSLv3  128 bits  ECDH-RSA-RC4-SHA
    Rejected  SSLv3  128 bits  ECDH-ECDSA-RC4-SHA
    Rejected  SSLv3  128 bits  RC4-SHA
    Rejected  SSLv3  128 bits  RC4-MD5
    Failed    SSLv3  128 bits  PSK-RC4-SHA
    Rejected  SSLv3  56 bits   EDH-RSA-DES-CBC-SHA
    Rejected  SSLv3  56 bits   EDH-DSS-DES-CBC-SHA
    Rejected  SSLv3  56 bits   ADH-DES-CBC-SHA
    Rejected  SSLv3  56 bits   DES-CBC-SHA
    Rejected  SSLv3  40 bits   EXP-EDH-RSA-DES-CBC-SHA
    Rejected  SSLv3  40 bits   EXP-EDH-DSS-DES-CBC-SHA
    Rejected  SSLv3  40 bits   EXP-ADH-DES-CBC-SHA
    Rejected  SSLv3  40 bits   EXP-DES-CBC-SHA
    Rejected  SSLv3  40 bits   EXP-RC2-CBC-MD5
    Rejected  SSLv3  40 bits   EXP-ADH-RC4-MD5
    Rejected  SSLv3  40 bits   EXP-RC4-MD5
    Rejected  SSLv3  0 bits    ECDHE-RSA-NULL-SHA
    Rejected  SSLv3  0 bits    ECDHE-ECDSA-NULL-SHA
    Rejected  SSLv3  0 bits    AECDH-NULL-SHA
    Rejected  SSLv3  0 bits    ECDH-RSA-NULL-SHA
    Rejected  SSLv3  0 bits    ECDH-ECDSA-NULL-SHA
    Failed    SSLv3  0 bits    NULL-SHA256
    Rejected  SSLv3  0 bits    NULL-SHA
    Rejected  SSLv3  0 bits    NULL-MD5
    Failed    TLSv1  256 bits  ECDHE-RSA-AES256-GCM-SHA384
    Failed    TLSv1  256 bits  ECDHE-ECDSA-AES256-GCM-SHA384
    Failed    TLSv1  256 bits  ECDHE-RSA-AES256-SHA384
    Failed    TLSv1  256 bits  ECDHE-ECDSA-AES256-SHA384
    Rejected  TLSv1  256 bits  ECDHE-RSA-AES256-SHA
    Rejected  TLSv1  256 bits  ECDHE-ECDSA-AES256-SHA
    Rejected  TLSv1  256 bits  SRP-DSS-AES-256-CBC-SHA
    Rejected  TLSv1  256 bits  SRP-RSA-AES-256-CBC-SHA
    Failed    TLSv1  256 bits  DHE-DSS-AES256-GCM-SHA384
    Failed    TLSv1  256 bits  DHE-RSA-AES256-GCM-SHA384
    Failed    TLSv1  256 bits  DHE-RSA-AES256-SHA256
    Failed    TLSv1  256 bits  DHE-DSS-AES256-SHA256
    Rejected  TLSv1  256 bits  DHE-RSA-AES256-SHA
    Rejected  TLSv1  256 bits  DHE-DSS-AES256-SHA
    Rejected  TLSv1  256 bits  DHE-RSA-CAMELLIA256-SHA
    Rejected  TLSv1  256 bits  DHE-DSS-CAMELLIA256-SHA
    Rejected  TLSv1  256 bits  AECDH-AES256-SHA
    Rejected  TLSv1  256 bits  SRP-AES-256-CBC-SHA
    Failed    TLSv1  256 bits  ADH-AES256-GCM-SHA384
    Failed    TLSv1  256 bits  ADH-AES256-SHA256
    Rejected  TLSv1  256 bits  ADH-AES256-SHA
    Rejected  TLSv1  256 bits  ADH-CAMELLIA256-SHA
    Failed    TLSv1  256 bits  ECDH-RSA-AES256-GCM-SHA384
    Failed    TLSv1  256 bits  ECDH-ECDSA-AES256-GCM-SHA384
    Failed    TLSv1  256 bits  ECDH-RSA-AES256-SHA384
    Failed    TLSv1  256 bits  ECDH-ECDSA-AES256-SHA384
    Rejected  TLSv1  256 bits  ECDH-RSA-AES256-SHA
    Rejected  TLSv1  256 bits  ECDH-ECDSA-AES256-SHA
    Failed    TLSv1  256 bits  AES256-GCM-SHA384
    Failed    TLSv1  256 bits  AES256-SHA256
    Rejected  TLSv1  256 bits  AES256-SHA
    Rejected  TLSv1  256 bits  CAMELLIA256-SHA
    Failed    TLSv1  256 bits  PSK-AES256-CBC-SHA
    Rejected  TLSv1  168 bits  ECDHE-RSA-DES-CBC3-SHA
    Rejected  TLSv1  168 bits  ECDHE-ECDSA-DES-CBC3-SHA
    Rejected  TLSv1  168 bits  SRP-DSS-3DES-EDE-CBC-SHA
    Rejected  TLSv1  168 bits  SRP-RSA-3DES-EDE-CBC-SHA
    Rejected  TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA
    Rejected  TLSv1  168 bits  EDH-DSS-DES-CBC3-SHA
    Rejected  TLSv1  168 bits  AECDH-DES-CBC3-SHA
    Rejected  TLSv1  168 bits  SRP-3DES-EDE-CBC-SHA
    Rejected  TLSv1  168 bits  ADH-DES-CBC3-SHA
    Rejected  TLSv1  168 bits  ECDH-RSA-DES-CBC3-SHA
    Rejected  TLSv1  168 bits  ECDH-ECDSA-DES-CBC3-SHA
    Rejected  TLSv1  168 bits  DES-CBC3-SHA
    Failed    TLSv1  168 bits  PSK-3DES-EDE-CBC-SHA
    Failed    TLSv1  128 bits  ECDHE-RSA-AES128-GCM-SHA256
    Failed    TLSv1  128 bits  ECDHE-ECDSA-AES128-GCM-SHA256
    Failed    TLSv1  128 bits  ECDHE-RSA-AES128-SHA256
    Failed    TLSv1  128 bits  ECDHE-ECDSA-AES128-SHA256
    Rejected  TLSv1  128 bits  ECDHE-RSA-AES128-SHA
    Rejected  TLSv1  128 bits  ECDHE-ECDSA-AES128-SHA
    Rejected  TLSv1  128 bits  SRP-DSS-AES-128-CBC-SHA
    Rejected  TLSv1  128 bits  SRP-RSA-AES-128-CBC-SHA
    Failed    TLSv1  128 bits  DHE-DSS-AES128-GCM-SHA256
    Failed    TLSv1  128 bits  DHE-RSA-AES128-GCM-SHA256
    Failed    TLSv1  128 bits  DHE-RSA-AES128-SHA256
    Failed    TLSv1  128 bits  DHE-DSS-AES128-SHA256
    Rejected  TLSv1  128 bits  DHE-RSA-AES128-SHA
    Rejected  TLSv1  128 bits  DHE-DSS-AES128-SHA
    Rejected  TLSv1  128 bits  DHE-RSA-SEED-SHA
    Rejected  TLSv1  128 bits  DHE-DSS-SEED-SHA
    Rejected  TLSv1  128 bits  DHE-RSA-CAMELLIA128-SHA
    Rejected  TLSv1  128 bits  DHE-DSS-CAMELLIA128-SHA
    Rejected  TLSv1  128 bits  AECDH-AES128-SHA
    Rejected  TLSv1  128 bits  SRP-AES-128-CBC-SHA
    Failed    TLSv1  128 bits  ADH-AES128-GCM-SHA256
    Failed    TLSv1  128 bits  ADH-AES128-SHA256
    Rejected  TLSv1  128 bits  ADH-AES128-SHA
    Rejected  TLSv1  128 bits  ADH-SEED-SHA
    Rejected  TLSv1  128 bits  ADH-CAMELLIA128-SHA
    Failed    TLSv1  128 bits  ECDH-RSA-AES128-GCM-SHA256
    Failed    TLSv1  128 bits  ECDH-ECDSA-AES128-GCM-SHA256
    Failed    TLSv1  128 bits  ECDH-RSA-AES128-SHA256
    Failed    TLSv1  128 bits  ECDH-ECDSA-AES128-SHA256
    Rejected  TLSv1  128 bits  ECDH-RSA-AES128-SHA
    Rejected  TLSv1  128 bits  ECDH-ECDSA-AES128-SHA
    Failed    TLSv1  128 bits  AES128-GCM-SHA256
    Failed    TLSv1  128 bits  AES128-SHA256
    Rejected  TLSv1  128 bits  AES128-SHA
    Rejected  TLSv1  128 bits  SEED-SHA
    Rejected  TLSv1  128 bits  CAMELLIA128-SHA
    Failed    TLSv1  128 bits  PSK-AES128-CBC-SHA
    Rejected  TLSv1  128 bits  ECDHE-RSA-RC4-SHA
    Rejected  TLSv1  128 bits  ECDHE-ECDSA-RC4-SHA
    Rejected  TLSv1  128 bits  AECDH-RC4-SHA
    Rejected  TLSv1  128 bits  ADH-RC4-MD5
    Rejected  TLSv1  128 bits  ECDH-RSA-RC4-SHA
    Rejected  TLSv1  128 bits  ECDH-ECDSA-RC4-SHA
    Rejected  TLSv1  128 bits  RC4-SHA
    Rejected  TLSv1  128 bits  RC4-MD5
    Failed    TLSv1  128 bits  PSK-RC4-SHA
    Rejected  TLSv1  56 bits   EDH-RSA-DES-CBC-SHA
    Rejected  TLSv1  56 bits   EDH-DSS-DES-CBC-SHA
    Rejected  TLSv1  56 bits   ADH-DES-CBC-SHA
    Rejected  TLSv1  56 bits   DES-CBC-SHA
    Rejected  TLSv1  40 bits   EXP-EDH-RSA-DES-CBC-SHA
    Rejected  TLSv1  40 bits   EXP-EDH-DSS-DES-CBC-SHA
    Rejected  TLSv1  40 bits   EXP-ADH-DES-CBC-SHA
    Rejected  TLSv1  40 bits   EXP-DES-CBC-SHA
    Rejected  TLSv1  40 bits   EXP-RC2-CBC-MD5
    Rejected  TLSv1  40 bits   EXP-ADH-RC4-MD5
    Rejected  TLSv1  40 bits   EXP-RC4-MD5
    Rejected  TLSv1  0 bits    ECDHE-RSA-NULL-SHA
    Rejected  TLSv1  0 bits    ECDHE-ECDSA-NULL-SHA
    Rejected  TLSv1  0 bits    AECDH-NULL-SHA
    Rejected  TLSv1  0 bits    ECDH-RSA-NULL-SHA
    Rejected  TLSv1  0 bits    ECDH-ECDSA-NULL-SHA
    Failed    TLSv1  0 bits    NULL-SHA256
    Rejected  TLSv1  0 bits    NULL-SHA
    Rejected  TLSv1  0 bits    NULL-MD5

The cipher appears to be supported by both client (OpenSSL s_client)
and server (Also using the same version of OpenSSL) but the handshake
cannot complete.

Let's try another cipher. How about one that worked before:
DHE-RSA-AES256-SHA


       <Connector port="8218"
               protocol="org.apache.coyote.http11.Http11AprProtocol"
               SSLEnabled="true"
               secure="true"
               scheme="https"
               SSLCipherSuite="DHE-RSA-AES256-SHA"
               SSLCertificateKeyFile="[...]"
               SSLCertificateFile="[...]"
               SSLCertificateChainFile="[...]"
               SSLProtocol="TLSv1"
               executor="tomcatThreadPool"
               URIEncoding="UTF-8" />

$ openssl c_client -connect myhost:8218
[...]
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
[...]

Works. Firefox 26 also works.

There must be some kind of problem with configuring
ECDHE-ECDSA-AES128-SHA256 specifically. Try another cipher?

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSyHhpAAoJEBzwKT+lPKRYthcP/iVIiPpSpk9Rupgjnkp9jGJu
djyS4+2S/T1mbABq0m9D1fd5enE0KAAlVcbPxOjaZQrBcVDfMRvaeKBc0Ln0RuDP
/vAvQ4NKoYCx+E3pITBo2CgvWtdBpMpdE87lRiosgzgqm246ZKSyRNDTg4H0AMVj
Hoq4EAfhtqwudTaofOeICxM4feigM6NJ1JMjiKfCXochaC0oFZof7/rKn5KTPyEG
Zp9ShTYgHyMJBMGd4MOD23rnS42XelqtHT9fuH4Idt/asMvrFrrzd8RHG5dIwsPG
dZekDzV1hmQ/XZEBgs1v4nlcdGaMv1AVe4xvhCRUUtDq0LHHE57heT9/dfXlcSC9
3Fw+LmuMaJm2hGG4qjixysml1hAufB4uL5zgNh8lKlbIs07Q5K+6i1BdSy/kOo90
xy1EsbkH1EioCmDpzmSa7ebU7c2ZN+XniraDTcQWCegKTShNruZ/WTUTbTi9RA/m
vwM8bOqHG/0BVF7n0l2qz+at17y0G45zkhrDgjz/1SJTaZZJW5PCaDo0uVl8Zare
pbNHJ78u3TSb3UsTRnoJIfzLEzCUYfUfiYHqQl9jpnzXfI6g7nR88XgzNSDrNBTp
dXhi/SZA/uyPi8yh0610tT5QvGGvL346ZS7w+yTGs6f2w1s+jvsV0pWcN9ZUz29S
1ocQFWKaGrEkam8xNVb6
=kn0b
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message