tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Eggers <its_toas...@yahoo.com>
Subject Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
Date Sat, 04 Jan 2014 23:37:58 GMT
On 1/4/2014 1:18 PM, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Musassir,
>
> On 1/4/14, 4:08 PM, Christopher Schultz wrote:
>> Musassir,
>>
>> On 1/3/14, 5:27 PM, Mudassir Aftab wrote:
>>> Again, we have to submit this as a bug.....TLS 1.2 is not
>>> working in Tomcat
>>
>> Tomcat 7.0.74 Oracle Java 1.7.0_45 tcnative 1.1.29 trunk
>> (essentially 1.2.29
>>
>> tcnative$ make clean tcnative$ ./configure --with-apr=`which
>> apr-config` --with-java-home=/usr/local/java-7 --with-ssl tcnative$
>> time make [...] make[1]: Leaving directory
>> `/home/cschultz/projects/tomcat-native-1.1.x/native'
>>
>> real	0m14.790s user	0m15.300s sys	0m1.840s
>>
>> tcnative$ cp -d .libs/* $CATALINA_HOME/bin
>>
>> tcnative$ cd $CATALINA_BASE
>>
>> tomcat$ cat conf/server.xml
>>
>> [...] <Connector port="8218"
>> protocol="org.apache.coyote.http11.Http11AprProtocol"
>> SSLEnabled="true" secure="true" scheme="https"
>> SSLCertificateKeyFile="[...]" SSLCertificateFile="[...]"
>> SSLCertificateChainFile="[...]" SSLProtocol="all"
>> executor="tomcatThreadPool" URIEncoding="UTF-8" /> [...]
>>
>> tomcat$ bin/startup.sh
>>
>> [...] Jan 04, 2014 3:17:26 PM
>> org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR
>> based Apache Tomcat Native library 1.1.30 using APR version 1.4.6.
>> Jan 04, 2014 3:17:26 PM
>> org.apache.catalina.core.AprLifecycleListener init INFO: APR
>> capabilities: IPv6 [true], sendfile [true], accept filters [false],
>> random [true]. Jan 04, 2014 3:17:26 PM
>> org.apache.catalina.core.AprLifecycleListener initializeSSL INFO:
>> OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013)
>> [...]
>>
>> tomcat$ openssl s_client -connect myhost:8218 [...] verify
>> error:num=19:self signed certificate in certificate chain [...]
>> SSL-Session: Protocol  : TLSv1.2 Cipher    :
>> DHE-RSA-AES256-GCM-SHA384 [...]
>>
>> *disconnect*
>>
>> I can confirm that Mozilla Firefox 26 on Mac OS X 10.9 can connect
>> using TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA cipher.
>>
>> Looks like TLS1.2 works just fine in the default configuration
>> (SSLProtocol="all" is the default).
>>
>> Let's try your configuration. I'm only going to change SSLProtocol
>> from "all" to "TLSv1":
>>
>> <Connector port="8218"
>> protocol="org.apache.coyote.http11.Http11AprProtocol"
>> SSLEnabled="true" secure="true" scheme="https"
>> SSLCertificateKeyFile="[...]" SSLCertificateFile="[...]"
>> SSLCertificateChainFile="[...]" SSLProtocol="TLSv1"
>> executor="tomcatThreadPool" URIEncoding="UTF-8" />
>>
>> * Restart Tomcat*
>>
>> tomcat$ openssl s_client -connect myhost:8218 [...] SSL-Session:
>> Protocol  : TLSv1 Cipher    : DHE-RSA-AES256-SHA [...]
>>
>> Trying again with Firefox 26 give me
>> cipher=TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA.
>>
>> Let's try restricting to only your cipher. Let's make sure that my
>> OpenSSL version supports it, first:
>>
>> tomcat$ openssl ciphers -v | grep ECDHE-ECDSA-AES128-SHA256
>> ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA
>> Enc=AES(128) Mac=SHA256
>>
>>
>> Yup. Let's configure it in Tomcat:
>>
>> <Connector port="8218"
>> protocol="org.apache.coyote.http11.Http11AprProtocol"
>> SSLEnabled="true" secure="true" scheme="https"
>> SSLCipherSuite="ECDHE-ECDSA-AES128-SHA256"
>> SSLCertificateKeyFile="[...]" SSLCertificateFile="[...]"
>> SSLCertificateChainFile="[...]" SSLProtocol="TLSv1"
>> executor="tomcatThreadPool" URIEncoding="UTF-8" />
>>
>>
>> $ openssl s_client -connect myhost:8218 CONNECTED(00000003)
>> 139718306563752:error:14077410:SSL
>> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
>> failure:s23_clnt.c:741:
>>
>> $ openssl s_client -tls1 -connect myhost:8218 CONNECTED(00000003)
>> 139965071759016:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
>> alert handshake failure:s3_pkt.c:1256:SSL alert number 40
>> 139965071759016:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
>> handshake failure:s3_pkt.c:596:
>>
>> $ openssl s_client -tls1_1 -connect myhost:8218
>> CONNECTED(00000003) 140680041133736:error:1408F10B:SSL
>> routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:
>>
>> $ openssl s_client -tls1_2 -connect myhost:8218
>> CONNECTED(00000003) 139976873068200:error:1408F10B:SSL
>> routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:
>>
>> Firefox also fails with "ssl_error_no_cypher_overlap".
>>
>> $ $ sslscan myhost:8218 _ ___ ___| |___  ___ __ _ _ __ / __/ __| /
>> __|/ __/ _` | '_ \ \__ \__ \ \__ \ (_| (_| | | | |
>> |___/___/_|___/\___\__,_|_| |_|
>>
>> Version 1.8.2 http://www.titania.co.uk Copyright Ian
>> Ventura-Whiting 2009
>>
>> Testing SSL server myhost on port 8218
>>
>> Supported Server Cipher(s): Failed    SSLv3  256 bits
>> ECDHE-RSA-AES256-GCM-SHA384 Failed    SSLv3  256 bits
>> ECDHE-ECDSA-AES256-GCM-SHA384 Failed    SSLv3  256 bits
>> ECDHE-RSA-AES256-SHA384 Failed    SSLv3  256 bits
>> ECDHE-ECDSA-AES256-SHA384 Rejected  SSLv3  256 bits
>> ECDHE-RSA-AES256-SHA Rejected  SSLv3  256 bits
>> ECDHE-ECDSA-AES256-SHA Rejected  SSLv3  256 bits
>> SRP-DSS-AES-256-CBC-SHA Rejected  SSLv3  256 bits
>> SRP-RSA-AES-256-CBC-SHA Failed    SSLv3  256 bits
>> DHE-DSS-AES256-GCM-SHA384 Failed    SSLv3  256 bits
>> DHE-RSA-AES256-GCM-SHA384 Failed    SSLv3  256 bits
>> DHE-RSA-AES256-SHA256 Failed    SSLv3  256 bits
>> DHE-DSS-AES256-SHA256 Rejected  SSLv3  256 bits
>> DHE-RSA-AES256-SHA Rejected  SSLv3  256 bits  DHE-DSS-AES256-SHA
>> Rejected  SSLv3  256 bits  DHE-RSA-CAMELLIA256-SHA Rejected  SSLv3
>> 256 bits  DHE-DSS-CAMELLIA256-SHA Rejected  SSLv3  256 bits
>> AECDH-AES256-SHA Rejected  SSLv3  256 bits  SRP-AES-256-CBC-SHA
>> Failed    SSLv3  256 bits  ADH-AES256-GCM-SHA384 Failed    SSLv3
>> 256 bits  ADH-AES256-SHA256 Rejected  SSLv3  256 bits
>> ADH-AES256-SHA Rejected  SSLv3  256 bits  ADH-CAMELLIA256-SHA
>> Failed    SSLv3  256 bits  ECDH-RSA-AES256-GCM-SHA384 Failed
>> SSLv3  256 bits  ECDH-ECDSA-AES256-GCM-SHA384 Failed    SSLv3  256
>> bits  ECDH-RSA-AES256-SHA384 Failed    SSLv3  256 bits
>> ECDH-ECDSA-AES256-SHA384 Rejected  SSLv3  256 bits
>> ECDH-RSA-AES256-SHA Rejected  SSLv3  256 bits
>> ECDH-ECDSA-AES256-SHA Failed    SSLv3  256 bits  AES256-GCM-SHA384
>> Failed    SSLv3  256 bits  AES256-SHA256 Rejected  SSLv3  256 bits
>> AES256-SHA Rejected  SSLv3  256 bits  CAMELLIA256-SHA Failed
>> SSLv3  256 bits  PSK-AES256-CBC-SHA Rejected  SSLv3  168 bits
>> ECDHE-RSA-DES-CBC3-SHA Rejected  SSLv3  168 bits
>> ECDHE-ECDSA-DES-CBC3-SHA Rejected  SSLv3  168 bits
>> SRP-DSS-3DES-EDE-CBC-SHA Rejected  SSLv3  168 bits
>> SRP-RSA-3DES-EDE-CBC-SHA Rejected  SSLv3  168 bits
>> EDH-RSA-DES-CBC3-SHA Rejected  SSLv3  168 bits
>> EDH-DSS-DES-CBC3-SHA Rejected  SSLv3  168 bits  AECDH-DES-CBC3-SHA
>> Rejected  SSLv3  168 bits  SRP-3DES-EDE-CBC-SHA Rejected  SSLv3
>> 168 bits  ADH-DES-CBC3-SHA Rejected  SSLv3  168 bits
>> ECDH-RSA-DES-CBC3-SHA Rejected  SSLv3  168 bits
>> ECDH-ECDSA-DES-CBC3-SHA Rejected  SSLv3  168 bits  DES-CBC3-SHA
>> Failed    SSLv3  168 bits  PSK-3DES-EDE-CBC-SHA Failed    SSLv3
>> 128 bits  ECDHE-RSA-AES128-GCM-SHA256 Failed    SSLv3  128 bits
>> ECDHE-ECDSA-AES128-GCM-SHA256 Failed    SSLv3  128 bits
>> ECDHE-RSA-AES128-SHA256 Failed    SSLv3  128 bits
>> ECDHE-ECDSA-AES128-SHA256 Rejected  SSLv3  128 bits
>> ECDHE-RSA-AES128-SHA Rejected  SSLv3  128 bits
>> ECDHE-ECDSA-AES128-SHA Rejected  SSLv3  128 bits
>> SRP-DSS-AES-128-CBC-SHA Rejected  SSLv3  128 bits
>> SRP-RSA-AES-128-CBC-SHA Failed    SSLv3  128 bits
>> DHE-DSS-AES128-GCM-SHA256 Failed    SSLv3  128 bits
>> DHE-RSA-AES128-GCM-SHA256 Failed    SSLv3  128 bits
>> DHE-RSA-AES128-SHA256 Failed    SSLv3  128 bits
>> DHE-DSS-AES128-SHA256 Rejected  SSLv3  128 bits
>> DHE-RSA-AES128-SHA Rejected  SSLv3  128 bits  DHE-DSS-AES128-SHA
>> Rejected  SSLv3  128 bits  DHE-RSA-SEED-SHA Rejected  SSLv3  128
>> bits  DHE-DSS-SEED-SHA Rejected  SSLv3  128 bits
>> DHE-RSA-CAMELLIA128-SHA Rejected  SSLv3  128 bits
>> DHE-DSS-CAMELLIA128-SHA Rejected  SSLv3  128 bits
>> AECDH-AES128-SHA Rejected  SSLv3  128 bits  SRP-AES-128-CBC-SHA
>> Failed    SSLv3  128 bits  ADH-AES128-GCM-SHA256 Failed    SSLv3
>> 128 bits  ADH-AES128-SHA256 Rejected  SSLv3  128 bits
>> ADH-AES128-SHA Rejected  SSLv3  128 bits  ADH-SEED-SHA Rejected
>> SSLv3  128 bits  ADH-CAMELLIA128-SHA Failed    SSLv3  128 bits
>> ECDH-RSA-AES128-GCM-SHA256 Failed    SSLv3  128 bits
>> ECDH-ECDSA-AES128-GCM-SHA256 Failed    SSLv3  128 bits
>> ECDH-RSA-AES128-SHA256 Failed    SSLv3  128 bits
>> ECDH-ECDSA-AES128-SHA256 Rejected  SSLv3  128 bits
>> ECDH-RSA-AES128-SHA Rejected  SSLv3  128 bits
>> ECDH-ECDSA-AES128-SHA Failed    SSLv3  128 bits  AES128-GCM-SHA256
>> Failed    SSLv3  128 bits  AES128-SHA256 Rejected  SSLv3  128 bits
>> AES128-SHA Rejected  SSLv3  128 bits  SEED-SHA Rejected  SSLv3  128
>> bits  CAMELLIA128-SHA Failed    SSLv3  128 bits
>> PSK-AES128-CBC-SHA Rejected  SSLv3  128 bits  ECDHE-RSA-RC4-SHA
>> Rejected  SSLv3  128 bits  ECDHE-ECDSA-RC4-SHA Rejected  SSLv3  128
>> bits  AECDH-RC4-SHA Rejected  SSLv3  128 bits  ADH-RC4-MD5 Rejected
>> SSLv3  128 bits  ECDH-RSA-RC4-SHA Rejected  SSLv3  128 bits
>> ECDH-ECDSA-RC4-SHA Rejected  SSLv3  128 bits  RC4-SHA Rejected
>> SSLv3  128 bits  RC4-MD5 Failed    SSLv3  128 bits  PSK-RC4-SHA
>> Rejected  SSLv3  56 bits   EDH-RSA-DES-CBC-SHA Rejected  SSLv3  56
>> bits   EDH-DSS-DES-CBC-SHA Rejected  SSLv3  56 bits
>> ADH-DES-CBC-SHA Rejected  SSLv3  56 bits   DES-CBC-SHA Rejected
>> SSLv3  40 bits   EXP-EDH-RSA-DES-CBC-SHA Rejected  SSLv3  40 bits
>> EXP-EDH-DSS-DES-CBC-SHA Rejected  SSLv3  40 bits
>> EXP-ADH-DES-CBC-SHA Rejected  SSLv3  40 bits   EXP-DES-CBC-SHA
>> Rejected  SSLv3  40 bits   EXP-RC2-CBC-MD5 Rejected  SSLv3  40 bits
>> EXP-ADH-RC4-MD5 Rejected  SSLv3  40 bits   EXP-RC4-MD5 Rejected
>> SSLv3  0 bits    ECDHE-RSA-NULL-SHA Rejected  SSLv3  0 bits
>> ECDHE-ECDSA-NULL-SHA Rejected  SSLv3  0 bits    AECDH-NULL-SHA
>> Rejected  SSLv3  0 bits    ECDH-RSA-NULL-SHA Rejected  SSLv3  0
>> bits    ECDH-ECDSA-NULL-SHA Failed    SSLv3  0 bits    NULL-SHA256
>> Rejected  SSLv3  0 bits    NULL-SHA Rejected  SSLv3  0 bits
>> NULL-MD5 Failed    TLSv1  256 bits  ECDHE-RSA-AES256-GCM-SHA384
>> Failed    TLSv1  256 bits  ECDHE-ECDSA-AES256-GCM-SHA384 Failed
>> TLSv1  256 bits  ECDHE-RSA-AES256-SHA384 Failed    TLSv1  256 bits
>> ECDHE-ECDSA-AES256-SHA384 Rejected  TLSv1  256 bits
>> ECDHE-RSA-AES256-SHA Rejected  TLSv1  256 bits
>> ECDHE-ECDSA-AES256-SHA Rejected  TLSv1  256 bits
>> SRP-DSS-AES-256-CBC-SHA Rejected  TLSv1  256 bits
>> SRP-RSA-AES-256-CBC-SHA Failed    TLSv1  256 bits
>> DHE-DSS-AES256-GCM-SHA384 Failed    TLSv1  256 bits
>> DHE-RSA-AES256-GCM-SHA384 Failed    TLSv1  256 bits
>> DHE-RSA-AES256-SHA256 Failed    TLSv1  256 bits
>> DHE-DSS-AES256-SHA256 Rejected  TLSv1  256 bits
>> DHE-RSA-AES256-SHA Rejected  TLSv1  256 bits  DHE-DSS-AES256-SHA
>> Rejected  TLSv1  256 bits  DHE-RSA-CAMELLIA256-SHA Rejected  TLSv1
>> 256 bits  DHE-DSS-CAMELLIA256-SHA Rejected  TLSv1  256 bits
>> AECDH-AES256-SHA Rejected  TLSv1  256 bits  SRP-AES-256-CBC-SHA
>> Failed    TLSv1  256 bits  ADH-AES256-GCM-SHA384 Failed    TLSv1
>> 256 bits  ADH-AES256-SHA256 Rejected  TLSv1  256 bits
>> ADH-AES256-SHA Rejected  TLSv1  256 bits  ADH-CAMELLIA256-SHA
>> Failed    TLSv1  256 bits  ECDH-RSA-AES256-GCM-SHA384 Failed
>> TLSv1  256 bits  ECDH-ECDSA-AES256-GCM-SHA384 Failed    TLSv1  256
>> bits  ECDH-RSA-AES256-SHA384 Failed    TLSv1  256 bits
>> ECDH-ECDSA-AES256-SHA384 Rejected  TLSv1  256 bits
>> ECDH-RSA-AES256-SHA Rejected  TLSv1  256 bits
>> ECDH-ECDSA-AES256-SHA Failed    TLSv1  256 bits  AES256-GCM-SHA384
>> Failed    TLSv1  256 bits  AES256-SHA256 Rejected  TLSv1  256 bits
>> AES256-SHA Rejected  TLSv1  256 bits  CAMELLIA256-SHA Failed
>> TLSv1  256 bits  PSK-AES256-CBC-SHA Rejected  TLSv1  168 bits
>> ECDHE-RSA-DES-CBC3-SHA Rejected  TLSv1  168 bits
>> ECDHE-ECDSA-DES-CBC3-SHA Rejected  TLSv1  168 bits
>> SRP-DSS-3DES-EDE-CBC-SHA Rejected  TLSv1  168 bits
>> SRP-RSA-3DES-EDE-CBC-SHA Rejected  TLSv1  168 bits
>> EDH-RSA-DES-CBC3-SHA Rejected  TLSv1  168 bits
>> EDH-DSS-DES-CBC3-SHA Rejected  TLSv1  168 bits  AECDH-DES-CBC3-SHA
>> Rejected  TLSv1  168 bits  SRP-3DES-EDE-CBC-SHA Rejected  TLSv1
>> 168 bits  ADH-DES-CBC3-SHA Rejected  TLSv1  168 bits
>> ECDH-RSA-DES-CBC3-SHA Rejected  TLSv1  168 bits
>> ECDH-ECDSA-DES-CBC3-SHA Rejected  TLSv1  168 bits  DES-CBC3-SHA
>> Failed    TLSv1  168 bits  PSK-3DES-EDE-CBC-SHA Failed    TLSv1
>> 128 bits  ECDHE-RSA-AES128-GCM-SHA256 Failed    TLSv1  128 bits
>> ECDHE-ECDSA-AES128-GCM-SHA256 Failed    TLSv1  128 bits
>> ECDHE-RSA-AES128-SHA256 Failed    TLSv1  128 bits
>> ECDHE-ECDSA-AES128-SHA256 Rejected  TLSv1  128 bits
>> ECDHE-RSA-AES128-SHA Rejected  TLSv1  128 bits
>> ECDHE-ECDSA-AES128-SHA Rejected  TLSv1  128 bits
>> SRP-DSS-AES-128-CBC-SHA Rejected  TLSv1  128 bits
>> SRP-RSA-AES-128-CBC-SHA Failed    TLSv1  128 bits
>> DHE-DSS-AES128-GCM-SHA256 Failed    TLSv1  128 bits
>> DHE-RSA-AES128-GCM-SHA256 Failed    TLSv1  128 bits
>> DHE-RSA-AES128-SHA256 Failed    TLSv1  128 bits
>> DHE-DSS-AES128-SHA256 Rejected  TLSv1  128 bits
>> DHE-RSA-AES128-SHA Rejected  TLSv1  128 bits  DHE-DSS-AES128-SHA
>> Rejected  TLSv1  128 bits  DHE-RSA-SEED-SHA Rejected  TLSv1  128
>> bits  DHE-DSS-SEED-SHA Rejected  TLSv1  128 bits
>> DHE-RSA-CAMELLIA128-SHA Rejected  TLSv1  128 bits
>> DHE-DSS-CAMELLIA128-SHA Rejected  TLSv1  128 bits
>> AECDH-AES128-SHA Rejected  TLSv1  128 bits  SRP-AES-128-CBC-SHA
>> Failed    TLSv1  128 bits  ADH-AES128-GCM-SHA256 Failed    TLSv1
>> 128 bits  ADH-AES128-SHA256 Rejected  TLSv1  128 bits
>> ADH-AES128-SHA Rejected  TLSv1  128 bits  ADH-SEED-SHA Rejected
>> TLSv1  128 bits  ADH-CAMELLIA128-SHA Failed    TLSv1  128 bits
>> ECDH-RSA-AES128-GCM-SHA256 Failed    TLSv1  128 bits
>> ECDH-ECDSA-AES128-GCM-SHA256 Failed    TLSv1  128 bits
>> ECDH-RSA-AES128-SHA256 Failed    TLSv1  128 bits
>> ECDH-ECDSA-AES128-SHA256 Rejected  TLSv1  128 bits
>> ECDH-RSA-AES128-SHA Rejected  TLSv1  128 bits
>> ECDH-ECDSA-AES128-SHA Failed    TLSv1  128 bits  AES128-GCM-SHA256
>> Failed    TLSv1  128 bits  AES128-SHA256 Rejected  TLSv1  128 bits
>> AES128-SHA Rejected  TLSv1  128 bits  SEED-SHA Rejected  TLSv1  128
>> bits  CAMELLIA128-SHA Failed    TLSv1  128 bits
>> PSK-AES128-CBC-SHA Rejected  TLSv1  128 bits  ECDHE-RSA-RC4-SHA
>> Rejected  TLSv1  128 bits  ECDHE-ECDSA-RC4-SHA Rejected  TLSv1  128
>> bits  AECDH-RC4-SHA Rejected  TLSv1  128 bits  ADH-RC4-MD5 Rejected
>> TLSv1  128 bits  ECDH-RSA-RC4-SHA Rejected  TLSv1  128 bits
>> ECDH-ECDSA-RC4-SHA Rejected  TLSv1  128 bits  RC4-SHA Rejected
>> TLSv1  128 bits  RC4-MD5 Failed    TLSv1  128 bits  PSK-RC4-SHA
>> Rejected  TLSv1  56 bits   EDH-RSA-DES-CBC-SHA Rejected  TLSv1  56
>> bits   EDH-DSS-DES-CBC-SHA Rejected  TLSv1  56 bits
>> ADH-DES-CBC-SHA Rejected  TLSv1  56 bits   DES-CBC-SHA Rejected
>> TLSv1  40 bits   EXP-EDH-RSA-DES-CBC-SHA Rejected  TLSv1  40 bits
>> EXP-EDH-DSS-DES-CBC-SHA Rejected  TLSv1  40 bits
>> EXP-ADH-DES-CBC-SHA Rejected  TLSv1  40 bits   EXP-DES-CBC-SHA
>> Rejected  TLSv1  40 bits   EXP-RC2-CBC-MD5 Rejected  TLSv1  40 bits
>> EXP-ADH-RC4-MD5 Rejected  TLSv1  40 bits   EXP-RC4-MD5 Rejected
>> TLSv1  0 bits    ECDHE-RSA-NULL-SHA Rejected  TLSv1  0 bits
>> ECDHE-ECDSA-NULL-SHA Rejected  TLSv1  0 bits    AECDH-NULL-SHA
>> Rejected  TLSv1  0 bits    ECDH-RSA-NULL-SHA Rejected  TLSv1  0
>> bits    ECDH-ECDSA-NULL-SHA Failed    TLSv1  0 bits    NULL-SHA256
>> Rejected  TLSv1  0 bits    NULL-SHA Rejected  TLSv1  0 bits
>> NULL-MD5
>>
>> The cipher appears to be supported by both client (OpenSSL
>> s_client) and server (Also using the same version of OpenSSL) but
>> the handshake cannot complete.
>>
>> Let's try another cipher. How about one that worked before:
>> DHE-RSA-AES256-SHA
>>
>>
>> <Connector port="8218"
>> protocol="org.apache.coyote.http11.Http11AprProtocol"
>> SSLEnabled="true" secure="true" scheme="https"
>> SSLCipherSuite="DHE-RSA-AES256-SHA" SSLCertificateKeyFile="[...]"
>> SSLCertificateFile="[...]" SSLCertificateChainFile="[...]"
>> SSLProtocol="TLSv1" executor="tomcatThreadPool" URIEncoding="UTF-8"
>> />
>>
>> $ openssl c_client -connect myhost:8218 [...] SSL-Session: Protocol
>> : TLSv1 Cipher    : DHE-RSA-AES256-SHA [...]
>>
>> Works. Firefox 26 also works.
>>
>> There must be some kind of problem with configuring
>> ECDHE-ECDSA-AES128-SHA256 specifically. Try another cipher?
>
> Oh, I also tried this:
>
>         <Connector port="8218"
>                 protocol="org.apache.coyote.http11.Http11AprProtocol"
>                 SSLEnabled="true"
>                 secure="true"
>                 scheme="https"
>                 SSLCertificateKeyFile="[...]"
>                 SSLCertificateFile="[...]"
>                 SSLCertificateChainFile="[...]"
>                 SSLProtocol="TLSv1"
>                 executor="tomcatThreadPool"
>                 URIEncoding="UTF-8" />
>
> $ openssl s_client -connect myhost:8218 -cipher ECDHE-ECDSA-AES128-SHA256
> CONNECTED(00000003)
> 140418231797416:error:14077410:SSL
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
> failure:s23_clnt.c:741:
>
> (Try some other cipher)
> $ openssl s_client -connect myhost:8218 -cipher DHE-RSA-AES256-SHA
>
> [...]
> SSL-Session:
>      Protocol  : TLSv1
>      Cipher    : DHE-RSA-AES256-SHA
> [...]
>
> $ sslscan myhost:8218 | grep ECDHE-ECDSA
>      Failed    SSLv3  256 bits  ECDHE-ECDSA-AES256-GCM-SHA384
>      Failed    SSLv3  256 bits  ECDHE-ECDSA-AES256-SHA384
>      Rejected  SSLv3  256 bits  ECDHE-ECDSA-AES256-SHA
>      Rejected  SSLv3  168 bits  ECDHE-ECDSA-DES-CBC3-SHA
>      Failed    SSLv3  128 bits  ECDHE-ECDSA-AES128-GCM-SHA256
>      Failed    SSLv3  128 bits  ECDHE-ECDSA-AES128-SHA256
>      Rejected  SSLv3  128 bits  ECDHE-ECDSA-AES128-SHA
>      Rejected  SSLv3  128 bits  ECDHE-ECDSA-RC4-SHA
>      Rejected  SSLv3  0 bits    ECDHE-ECDSA-NULL-SHA
>      Failed    TLSv1  256 bits  ECDHE-ECDSA-AES256-GCM-SHA384
>      Failed    TLSv1  256 bits  ECDHE-ECDSA-AES256-SHA384
>      Rejected  TLSv1  256 bits  ECDHE-ECDSA-AES256-SHA
>      Rejected  TLSv1  168 bits  ECDHE-ECDSA-DES-CBC3-SHA
>      Failed    TLSv1  128 bits  ECDHE-ECDSA-AES128-GCM-SHA256
>      Failed    TLSv1  128 bits  ECDHE-ECDSA-AES128-SHA256
>      Rejected  TLSv1  128 bits  ECDHE-ECDSA-AES128-SHA
>      Rejected  TLSv1  128 bits  ECDHE-ECDSA-RC4-SHA
>      Rejected  TLSv1  0 bits    ECDHE-ECDSA-NULL-SHA
>
> It looks like there is something wrong with the ECDHE-ECDSA suites. If
> anything, this is an OpenSSL problem and not a Tomcat one: Tomcat
> doesn't do anything with the crypto, here.
>
> - -chris

Did you make an ECDSA cert?

. . . . still in RFP response mode, so only 1/2 cent here
/mde/


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message