tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Terence M. Bandoian" <tere...@tmbsw.com>
Subject Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
Date Sun, 05 Jan 2014 07:17:53 GMT
On 1/4/2014 3:08 PM, Christopher Schultz wrote:
> Musassir,
>
> On 1/3/14, 5:27 PM, Mudassir Aftab wrote:
> > Again, we have to submit this as a bug.....TLS 1.2 is not working
> > in Tomcat
>
> Tomcat 7.0.74
> Oracle Java 1.7.0_45
> tcnative 1.1.29 trunk (essentially 1.2.29
>
> tcnative$ make clean
> tcnative$ ./configure --with-apr=`which apr-config`
> --with-java-home=/usr/local/java-7 --with-ssl
> tcnative$ time make
> [...]
> make[1]: Leaving directory
> `/home/cschultz/projects/tomcat-native-1.1.x/native'
>
> real    0m14.790s
> user    0m15.300s
> sys    0m1.840s
>
> tcnative$ cp -d .libs/* $CATALINA_HOME/bin
>
> tcnative$ cd $CATALINA_BASE
>
> tomcat$ cat conf/server.xml
>
> [...]
>        <Connector port="8218"
>                protocol="org.apache.coyote.http11.Http11AprProtocol"
>                SSLEnabled="true"
>                secure="true"
>                scheme="https"
>                SSLCertificateKeyFile="[...]"
>                SSLCertificateFile="[...]"
>                SSLCertificateChainFile="[...]"
>                SSLProtocol="all"
>                executor="tomcatThreadPool"
>                URIEncoding="UTF-8" />
> [...]
>
> tomcat$ bin/startup.sh
>
> [...]
> Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener init
> INFO: Loaded APR based Apache Tomcat Native library 1.1.30 using APR
> version 1.4.6.
> Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener init
> INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
> [false], random [true].
> Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener
> initializeSSL
> INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013)
> [...]
>
> tomcat$ openssl s_client -connect myhost:8218
> [...]
> verify error:num=19:self signed certificate in certificate chain
> [...]
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : DHE-RSA-AES256-GCM-SHA384
> [...]
>
> *disconnect*
>
> I can confirm that Mozilla Firefox 26 on Mac OS X 10.9 can connect
> using TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA cipher.
>
> Looks like TLS1.2 works just fine in the default configuration
> (SSLProtocol="all" is the default).
>
> Let's try your configuration. I'm only going to change SSLProtocol
> from "all" to "TLSv1":
>
>        <Connector port="8218"
>                protocol="org.apache.coyote.http11.Http11AprProtocol"
>                SSLEnabled="true"
>                secure="true"
>                scheme="https"
>                SSLCertificateKeyFile="[...]"
>                SSLCertificateFile="[...]"
>                SSLCertificateChainFile="[...]"
>                SSLProtocol="TLSv1"
>                executor="tomcatThreadPool"
>                URIEncoding="UTF-8" />
>
> * Restart Tomcat*
>
> tomcat$ openssl s_client -connect myhost:8218
> [...]
> SSL-Session:
>     Protocol  : TLSv1
>     Cipher    : DHE-RSA-AES256-SHA
> [...]
>
> Trying again with Firefox 26 give me
> cipher=TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA.
>
> Let's try restricting to only your cipher. Let's make sure that my
> OpenSSL version supports it, first:
>
> tomcat$ openssl ciphers -v | grep ECDHE-ECDSA-AES128-SHA256
> ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)
> Mac=SHA256
>
>
> Yup. Let's configure it in Tomcat:
>
>        <Connector port="8218"
>                protocol="org.apache.coyote.http11.Http11AprProtocol"
>                SSLEnabled="true"
>                secure="true"
>                scheme="https"
>                SSLCipherSuite="ECDHE-ECDSA-AES128-SHA256"
>                SSLCertificateKeyFile="[...]"
>                SSLCertificateFile="[...]"
>                SSLCertificateChainFile="[...]"
>                SSLProtocol="TLSv1"
>                executor="tomcatThreadPool"
>                URIEncoding="UTF-8" />
>
>
> $ openssl s_client -connect myhost:8218
> CONNECTED(00000003)
> 139718306563752:error:14077410:SSL
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
> failure:s23_clnt.c:741:
>
> $ openssl s_client -tls1 -connect myhost:8218
> CONNECTED(00000003)
> 139965071759016:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
> alert handshake failure:s3_pkt.c:1256:SSL alert number 40
> 139965071759016:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
> handshake failure:s3_pkt.c:596:
>
> $ openssl s_client -tls1_1 -connect myhost:8218
> CONNECTED(00000003)
> 140680041133736:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
> version number:s3_pkt.c:337:
>
> $ openssl s_client -tls1_2 -connect myhost:8218
> CONNECTED(00000003)
> 139976873068200:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
> version number:s3_pkt.c:337:
>
> Firefox also fails with "ssl_error_no_cypher_overlap".
>
> $ $ sslscan myhost:8218
>                    _
>            ___ ___| |___  ___ __ _ _ __
>           / __/ __| / __|/ __/ _` | '_ \
>           \__ \__ \ \__ \ (_| (_| | | | |
>           |___/___/_|___/\___\__,_|_| |_|
>
>                   Version 1.8.2
>              http://www.titania.co.uk
>         Copyright Ian Ventura-Whiting 2009
>
> Testing SSL server myhost on port 8218
>
>   Supported Server Cipher(s):
>     Failed    SSLv3  256 bits  ECDHE-RSA-AES256-GCM-SHA384
>     Failed    SSLv3  256 bits  ECDHE-ECDSA-AES256-GCM-SHA384
>     Failed    SSLv3  256 bits  ECDHE-RSA-AES256-SHA384
>     Failed    SSLv3  256 bits  ECDHE-ECDSA-AES256-SHA384
>     Rejected  SSLv3  256 bits  ECDHE-RSA-AES256-SHA
>     Rejected  SSLv3  256 bits  ECDHE-ECDSA-AES256-SHA
>     Rejected  SSLv3  256 bits  SRP-DSS-AES-256-CBC-SHA
>     Rejected  SSLv3  256 bits  SRP-RSA-AES-256-CBC-SHA
>     Failed    SSLv3  256 bits  DHE-DSS-AES256-GCM-SHA384
>     Failed    SSLv3  256 bits  DHE-RSA-AES256-GCM-SHA384
>     Failed    SSLv3  256 bits  DHE-RSA-AES256-SHA256
>     Failed    SSLv3  256 bits  DHE-DSS-AES256-SHA256
>     Rejected  SSLv3  256 bits  DHE-RSA-AES256-SHA
>     Rejected  SSLv3  256 bits  DHE-DSS-AES256-SHA
>     Rejected  SSLv3  256 bits  DHE-RSA-CAMELLIA256-SHA
>     Rejected  SSLv3  256 bits  DHE-DSS-CAMELLIA256-SHA
>     Rejected  SSLv3  256 bits  AECDH-AES256-SHA
>     Rejected  SSLv3  256 bits  SRP-AES-256-CBC-SHA
>     Failed    SSLv3  256 bits  ADH-AES256-GCM-SHA384
>     Failed    SSLv3  256 bits  ADH-AES256-SHA256
>     Rejected  SSLv3  256 bits  ADH-AES256-SHA
>     Rejected  SSLv3  256 bits  ADH-CAMELLIA256-SHA
>     Failed    SSLv3  256 bits  ECDH-RSA-AES256-GCM-SHA384
>     Failed    SSLv3  256 bits  ECDH-ECDSA-AES256-GCM-SHA384
>     Failed    SSLv3  256 bits  ECDH-RSA-AES256-SHA384
>     Failed    SSLv3  256 bits  ECDH-ECDSA-AES256-SHA384
>     Rejected  SSLv3  256 bits  ECDH-RSA-AES256-SHA
>     Rejected  SSLv3  256 bits  ECDH-ECDSA-AES256-SHA
>     Failed    SSLv3  256 bits  AES256-GCM-SHA384
>     Failed    SSLv3  256 bits  AES256-SHA256
>     Rejected  SSLv3  256 bits  AES256-SHA
>     Rejected  SSLv3  256 bits  CAMELLIA256-SHA
>     Failed    SSLv3  256 bits  PSK-AES256-CBC-SHA
>     Rejected  SSLv3  168 bits  ECDHE-RSA-DES-CBC3-SHA
>     Rejected  SSLv3  168 bits  ECDHE-ECDSA-DES-CBC3-SHA
>     Rejected  SSLv3  168 bits  SRP-DSS-3DES-EDE-CBC-SHA
>     Rejected  SSLv3  168 bits  SRP-RSA-3DES-EDE-CBC-SHA
>     Rejected  SSLv3  168 bits  EDH-RSA-DES-CBC3-SHA
>     Rejected  SSLv3  168 bits  EDH-DSS-DES-CBC3-SHA
>     Rejected  SSLv3  168 bits  AECDH-DES-CBC3-SHA
>     Rejected  SSLv3  168 bits  SRP-3DES-EDE-CBC-SHA
>     Rejected  SSLv3  168 bits  ADH-DES-CBC3-SHA
>     Rejected  SSLv3  168 bits  ECDH-RSA-DES-CBC3-SHA
>     Rejected  SSLv3  168 bits  ECDH-ECDSA-DES-CBC3-SHA
>     Rejected  SSLv3  168 bits  DES-CBC3-SHA
>     Failed    SSLv3  168 bits  PSK-3DES-EDE-CBC-SHA
>     Failed    SSLv3  128 bits  ECDHE-RSA-AES128-GCM-SHA256
>     Failed    SSLv3  128 bits  ECDHE-ECDSA-AES128-GCM-SHA256
>     Failed    SSLv3  128 bits  ECDHE-RSA-AES128-SHA256
>     Failed    SSLv3  128 bits  ECDHE-ECDSA-AES128-SHA256
>     Rejected  SSLv3  128 bits  ECDHE-RSA-AES128-SHA
>     Rejected  SSLv3  128 bits  ECDHE-ECDSA-AES128-SHA
>     Rejected  SSLv3  128 bits  SRP-DSS-AES-128-CBC-SHA
>     Rejected  SSLv3  128 bits  SRP-RSA-AES-128-CBC-SHA
>     Failed    SSLv3  128 bits  DHE-DSS-AES128-GCM-SHA256
>     Failed    SSLv3  128 bits  DHE-RSA-AES128-GCM-SHA256
>     Failed    SSLv3  128 bits  DHE-RSA-AES128-SHA256
>     Failed    SSLv3  128 bits  DHE-DSS-AES128-SHA256
>     Rejected  SSLv3  128 bits  DHE-RSA-AES128-SHA
>     Rejected  SSLv3  128 bits  DHE-DSS-AES128-SHA
>     Rejected  SSLv3  128 bits  DHE-RSA-SEED-SHA
>     Rejected  SSLv3  128 bits  DHE-DSS-SEED-SHA
>     Rejected  SSLv3  128 bits  DHE-RSA-CAMELLIA128-SHA
>     Rejected  SSLv3  128 bits  DHE-DSS-CAMELLIA128-SHA
>     Rejected  SSLv3  128 bits  AECDH-AES128-SHA
>     Rejected  SSLv3  128 bits  SRP-AES-128-CBC-SHA
>     Failed    SSLv3  128 bits  ADH-AES128-GCM-SHA256
>     Failed    SSLv3  128 bits  ADH-AES128-SHA256
>     Rejected  SSLv3  128 bits  ADH-AES128-SHA
>     Rejected  SSLv3  128 bits  ADH-SEED-SHA
>     Rejected  SSLv3  128 bits  ADH-CAMELLIA128-SHA
>     Failed    SSLv3  128 bits  ECDH-RSA-AES128-GCM-SHA256
>     Failed    SSLv3  128 bits  ECDH-ECDSA-AES128-GCM-SHA256
>     Failed    SSLv3  128 bits  ECDH-RSA-AES128-SHA256
>     Failed    SSLv3  128 bits  ECDH-ECDSA-AES128-SHA256
>     Rejected  SSLv3  128 bits  ECDH-RSA-AES128-SHA
>     Rejected  SSLv3  128 bits  ECDH-ECDSA-AES128-SHA
>     Failed    SSLv3  128 bits  AES128-GCM-SHA256
>     Failed    SSLv3  128 bits  AES128-SHA256
>     Rejected  SSLv3  128 bits  AES128-SHA
>     Rejected  SSLv3  128 bits  SEED-SHA
>     Rejected  SSLv3  128 bits  CAMELLIA128-SHA
>     Failed    SSLv3  128 bits  PSK-AES128-CBC-SHA
>     Rejected  SSLv3  128 bits  ECDHE-RSA-RC4-SHA
>     Rejected  SSLv3  128 bits  ECDHE-ECDSA-RC4-SHA
>     Rejected  SSLv3  128 bits  AECDH-RC4-SHA
>     Rejected  SSLv3  128 bits  ADH-RC4-MD5
>     Rejected  SSLv3  128 bits  ECDH-RSA-RC4-SHA
>     Rejected  SSLv3  128 bits  ECDH-ECDSA-RC4-SHA
>     Rejected  SSLv3  128 bits  RC4-SHA
>     Rejected  SSLv3  128 bits  RC4-MD5
>     Failed    SSLv3  128 bits  PSK-RC4-SHA
>     Rejected  SSLv3  56 bits   EDH-RSA-DES-CBC-SHA
>     Rejected  SSLv3  56 bits   EDH-DSS-DES-CBC-SHA
>     Rejected  SSLv3  56 bits   ADH-DES-CBC-SHA
>     Rejected  SSLv3  56 bits   DES-CBC-SHA
>     Rejected  SSLv3  40 bits   EXP-EDH-RSA-DES-CBC-SHA
>     Rejected  SSLv3  40 bits   EXP-EDH-DSS-DES-CBC-SHA
>     Rejected  SSLv3  40 bits   EXP-ADH-DES-CBC-SHA
>     Rejected  SSLv3  40 bits   EXP-DES-CBC-SHA
>     Rejected  SSLv3  40 bits   EXP-RC2-CBC-MD5
>     Rejected  SSLv3  40 bits   EXP-ADH-RC4-MD5
>     Rejected  SSLv3  40 bits   EXP-RC4-MD5
>     Rejected  SSLv3  0 bits    ECDHE-RSA-NULL-SHA
>     Rejected  SSLv3  0 bits    ECDHE-ECDSA-NULL-SHA
>     Rejected  SSLv3  0 bits    AECDH-NULL-SHA
>     Rejected  SSLv3  0 bits    ECDH-RSA-NULL-SHA
>     Rejected  SSLv3  0 bits    ECDH-ECDSA-NULL-SHA
>     Failed    SSLv3  0 bits    NULL-SHA256
>     Rejected  SSLv3  0 bits    NULL-SHA
>     Rejected  SSLv3  0 bits    NULL-MD5
>     Failed    TLSv1  256 bits  ECDHE-RSA-AES256-GCM-SHA384
>     Failed    TLSv1  256 bits  ECDHE-ECDSA-AES256-GCM-SHA384
>     Failed    TLSv1  256 bits  ECDHE-RSA-AES256-SHA384
>     Failed    TLSv1  256 bits  ECDHE-ECDSA-AES256-SHA384
>     Rejected  TLSv1  256 bits  ECDHE-RSA-AES256-SHA
>     Rejected  TLSv1  256 bits  ECDHE-ECDSA-AES256-SHA
>     Rejected  TLSv1  256 bits  SRP-DSS-AES-256-CBC-SHA
>     Rejected  TLSv1  256 bits  SRP-RSA-AES-256-CBC-SHA
>     Failed    TLSv1  256 bits  DHE-DSS-AES256-GCM-SHA384
>     Failed    TLSv1  256 bits  DHE-RSA-AES256-GCM-SHA384
>     Failed    TLSv1  256 bits  DHE-RSA-AES256-SHA256
>     Failed    TLSv1  256 bits  DHE-DSS-AES256-SHA256
>     Rejected  TLSv1  256 bits  DHE-RSA-AES256-SHA
>     Rejected  TLSv1  256 bits  DHE-DSS-AES256-SHA
>     Rejected  TLSv1  256 bits  DHE-RSA-CAMELLIA256-SHA
>     Rejected  TLSv1  256 bits  DHE-DSS-CAMELLIA256-SHA
>     Rejected  TLSv1  256 bits  AECDH-AES256-SHA
>     Rejected  TLSv1  256 bits  SRP-AES-256-CBC-SHA
>     Failed    TLSv1  256 bits  ADH-AES256-GCM-SHA384
>     Failed    TLSv1  256 bits  ADH-AES256-SHA256
>     Rejected  TLSv1  256 bits  ADH-AES256-SHA
>     Rejected  TLSv1  256 bits  ADH-CAMELLIA256-SHA
>     Failed    TLSv1  256 bits  ECDH-RSA-AES256-GCM-SHA384
>     Failed    TLSv1  256 bits  ECDH-ECDSA-AES256-GCM-SHA384
>     Failed    TLSv1  256 bits  ECDH-RSA-AES256-SHA384
>     Failed    TLSv1  256 bits  ECDH-ECDSA-AES256-SHA384
>     Rejected  TLSv1  256 bits  ECDH-RSA-AES256-SHA
>     Rejected  TLSv1  256 bits  ECDH-ECDSA-AES256-SHA
>     Failed    TLSv1  256 bits  AES256-GCM-SHA384
>     Failed    TLSv1  256 bits  AES256-SHA256
>     Rejected  TLSv1  256 bits  AES256-SHA
>     Rejected  TLSv1  256 bits  CAMELLIA256-SHA
>     Failed    TLSv1  256 bits  PSK-AES256-CBC-SHA
>     Rejected  TLSv1  168 bits  ECDHE-RSA-DES-CBC3-SHA
>     Rejected  TLSv1  168 bits  ECDHE-ECDSA-DES-CBC3-SHA
>     Rejected  TLSv1  168 bits  SRP-DSS-3DES-EDE-CBC-SHA
>     Rejected  TLSv1  168 bits  SRP-RSA-3DES-EDE-CBC-SHA
>     Rejected  TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA
>     Rejected  TLSv1  168 bits  EDH-DSS-DES-CBC3-SHA
>     Rejected  TLSv1  168 bits  AECDH-DES-CBC3-SHA
>     Rejected  TLSv1  168 bits  SRP-3DES-EDE-CBC-SHA
>     Rejected  TLSv1  168 bits  ADH-DES-CBC3-SHA
>     Rejected  TLSv1  168 bits  ECDH-RSA-DES-CBC3-SHA
>     Rejected  TLSv1  168 bits  ECDH-ECDSA-DES-CBC3-SHA
>     Rejected  TLSv1  168 bits  DES-CBC3-SHA
>     Failed    TLSv1  168 bits  PSK-3DES-EDE-CBC-SHA
>     Failed    TLSv1  128 bits  ECDHE-RSA-AES128-GCM-SHA256
>     Failed    TLSv1  128 bits  ECDHE-ECDSA-AES128-GCM-SHA256
>     Failed    TLSv1  128 bits  ECDHE-RSA-AES128-SHA256
>     Failed    TLSv1  128 bits  ECDHE-ECDSA-AES128-SHA256
>     Rejected  TLSv1  128 bits  ECDHE-RSA-AES128-SHA
>     Rejected  TLSv1  128 bits  ECDHE-ECDSA-AES128-SHA
>     Rejected  TLSv1  128 bits  SRP-DSS-AES-128-CBC-SHA
>     Rejected  TLSv1  128 bits  SRP-RSA-AES-128-CBC-SHA
>     Failed    TLSv1  128 bits  DHE-DSS-AES128-GCM-SHA256
>     Failed    TLSv1  128 bits  DHE-RSA-AES128-GCM-SHA256
>     Failed    TLSv1  128 bits  DHE-RSA-AES128-SHA256
>     Failed    TLSv1  128 bits  DHE-DSS-AES128-SHA256
>     Rejected  TLSv1  128 bits  DHE-RSA-AES128-SHA
>     Rejected  TLSv1  128 bits  DHE-DSS-AES128-SHA
>     Rejected  TLSv1  128 bits  DHE-RSA-SEED-SHA
>     Rejected  TLSv1  128 bits  DHE-DSS-SEED-SHA
>     Rejected  TLSv1  128 bits  DHE-RSA-CAMELLIA128-SHA
>     Rejected  TLSv1  128 bits  DHE-DSS-CAMELLIA128-SHA
>     Rejected  TLSv1  128 bits  AECDH-AES128-SHA
>     Rejected  TLSv1  128 bits  SRP-AES-128-CBC-SHA
>     Failed    TLSv1  128 bits  ADH-AES128-GCM-SHA256
>     Failed    TLSv1  128 bits  ADH-AES128-SHA256
>     Rejected  TLSv1  128 bits  ADH-AES128-SHA
>     Rejected  TLSv1  128 bits  ADH-SEED-SHA
>     Rejected  TLSv1  128 bits  ADH-CAMELLIA128-SHA
>     Failed    TLSv1  128 bits  ECDH-RSA-AES128-GCM-SHA256
>     Failed    TLSv1  128 bits  ECDH-ECDSA-AES128-GCM-SHA256
>     Failed    TLSv1  128 bits  ECDH-RSA-AES128-SHA256
>     Failed    TLSv1  128 bits  ECDH-ECDSA-AES128-SHA256
>     Rejected  TLSv1  128 bits  ECDH-RSA-AES128-SHA
>     Rejected  TLSv1  128 bits  ECDH-ECDSA-AES128-SHA
>     Failed    TLSv1  128 bits  AES128-GCM-SHA256
>     Failed    TLSv1  128 bits  AES128-SHA256
>     Rejected  TLSv1  128 bits  AES128-SHA
>     Rejected  TLSv1  128 bits  SEED-SHA
>     Rejected  TLSv1  128 bits  CAMELLIA128-SHA
>     Failed    TLSv1  128 bits  PSK-AES128-CBC-SHA
>     Rejected  TLSv1  128 bits  ECDHE-RSA-RC4-SHA
>     Rejected  TLSv1  128 bits  ECDHE-ECDSA-RC4-SHA
>     Rejected  TLSv1  128 bits  AECDH-RC4-SHA
>     Rejected  TLSv1  128 bits  ADH-RC4-MD5
>     Rejected  TLSv1  128 bits  ECDH-RSA-RC4-SHA
>     Rejected  TLSv1  128 bits  ECDH-ECDSA-RC4-SHA
>     Rejected  TLSv1  128 bits  RC4-SHA
>     Rejected  TLSv1  128 bits  RC4-MD5
>     Failed    TLSv1  128 bits  PSK-RC4-SHA
>     Rejected  TLSv1  56 bits   EDH-RSA-DES-CBC-SHA
>     Rejected  TLSv1  56 bits   EDH-DSS-DES-CBC-SHA
>     Rejected  TLSv1  56 bits   ADH-DES-CBC-SHA
>     Rejected  TLSv1  56 bits   DES-CBC-SHA
>     Rejected  TLSv1  40 bits   EXP-EDH-RSA-DES-CBC-SHA
>     Rejected  TLSv1  40 bits   EXP-EDH-DSS-DES-CBC-SHA
>     Rejected  TLSv1  40 bits   EXP-ADH-DES-CBC-SHA
>     Rejected  TLSv1  40 bits   EXP-DES-CBC-SHA
>     Rejected  TLSv1  40 bits   EXP-RC2-CBC-MD5
>     Rejected  TLSv1  40 bits   EXP-ADH-RC4-MD5
>     Rejected  TLSv1  40 bits   EXP-RC4-MD5
>     Rejected  TLSv1  0 bits    ECDHE-RSA-NULL-SHA
>     Rejected  TLSv1  0 bits    ECDHE-ECDSA-NULL-SHA
>     Rejected  TLSv1  0 bits    AECDH-NULL-SHA
>     Rejected  TLSv1  0 bits    ECDH-RSA-NULL-SHA
>     Rejected  TLSv1  0 bits    ECDH-ECDSA-NULL-SHA
>     Failed    TLSv1  0 bits    NULL-SHA256
>     Rejected  TLSv1  0 bits    NULL-SHA
>     Rejected  TLSv1  0 bits    NULL-MD5
>
> The cipher appears to be supported by both client (OpenSSL s_client)
> and server (Also using the same version of OpenSSL) but the handshake
> cannot complete.
>
> Let's try another cipher. How about one that worked before:
> DHE-RSA-AES256-SHA
>
>
>        <Connector port="8218"
>                protocol="org.apache.coyote.http11.Http11AprProtocol"
>                SSLEnabled="true"
>                secure="true"
>                scheme="https"
>                SSLCipherSuite="DHE-RSA-AES256-SHA"
>                SSLCertificateKeyFile="[...]"
>                SSLCertificateFile="[...]"
>                SSLCertificateChainFile="[...]"
>                SSLProtocol="TLSv1"
>                executor="tomcatThreadPool"
>                URIEncoding="UTF-8" />
>
> $ openssl c_client -connect myhost:8218
> [...]
> SSL-Session:
>     Protocol  : TLSv1
>     Cipher    : DHE-RSA-AES256-SHA
> [...]
>
> Works. Firefox 26 also works.
>
> There must be some kind of problem with configuring
> ECDHE-ECDSA-AES128-SHA256 specifically. Try another cipher?
>
> -chris


Nice work.  Really generous.

-Terence Bandoian


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message