tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Caldarale, Charles R" <Chuck.Caldar...@unisys.com>
Subject RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47
Date Fri, 03 Jan 2014 17:32:28 GMT
> From: Mudassir Aftab [mailto:withmudassir@gmail.com] 
> Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

> <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11AprProtocol"
>            maxThreads="200"
>            clientAuth="false"
>            *SSLCipherSuite="ECDHE-ECDSA-AES128-SHA256"*

Why are there asterisks on that config line?  Remove them if they're actually present.  Don't
try to get cute with formatting tricks like bolding text, since this is a plaintext mailing
list.

> Jan 03, 2014 5:09:49 PM org.apache.catalina.core.AprLifecycleListener
> initializeSSL
> INFO: OpenSSL successfully initialized (OpenSSL 1.0.1 14 Mar 2012)

You need to update the OpenSSL version to 1.0.1e, which contains fixes for TLS 1.1 and 1.2
negotiation.  Once that's installed (and tcnative rebuilt), verify that the desired cipher
is available with the "openssl ciphers" command.

You also need to confirm that your client is capable of TLSv1.2 using the above cipher.  As
stated before, getting a Wireshark or tcpdump trace of the negotiation would show what the
client allows.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus
for use only by the intended recipient. If you received this in error, please contact the
sender and delete the e-mail and its attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message