tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sanaullah <sanaulla...@gmail.com>
Subject Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
Date Sun, 05 Jan 2014 14:08:15 GMT
most of the people puking here regarding the tlsv1.1 and tlsv1.2 support in
tomcat 7.0.47 or just trying them-self to look over smart.

Hi Mudassir,

By default there is no support for TLSv1.1 or TLSv1.2 in Tomcat 7.0.47. you
have to apply these two patches in order to run TLSv1.1 and tlsv1.2
https://issues.apache.org/bugzilla/attachment.cgi?id=30150
https://issues.apache.org/bugzilla/attachment.cgi?id=30166

I spend 5 hours to test this. I am using ubuntu trusty.

Here is my test result

root@ubuntu:/opt/tomcat-native-1.1.29/jni/native# openssl s_client -connect
127.0.0.1:8443
CONNECTED(00000003)
depth=0 C = MX, ST = Some-State, O = uni, OU = admin, CN = ubuntu
verify error:num=18:self signed certificate
verify return:1
depth=0 C = MX, ST = Some-State, O = uni, OU = admin, CN = ubuntu
verify return:1
---
Certificate chain
 0 s:/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu
   i:/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIB5zCCAY6gAwIBAgIJAIgQsiTjPbouMAkGByqGSM49BAEwUTELMAkGA1UEBhMC
TVgxEzARBgNVBAgMClNvbWUtU3RhdGUxDDAKBgNVBAoMA3VuaTEOMAwGA1UECwwF
YWRtaW4xDzANBgNVBAMMBnVidW50dTAeFw0xNDAxMDUwMjE0NDZaFw0yNDAxMDMw
MjE0NDZaMFExCzAJBgNVBAYTAk1YMRMwEQYDVQQIDApTb21lLVN0YXRlMQwwCgYD
VQQKDAN1bmkxDjAMBgNVBAsMBWFkbWluMQ8wDQYDVQQDDAZ1YnVudHUwWTATBgcq
hkjOPQIBBggqhkjOPQMBBwNCAAQMy2uSVwbPg1wPOXrqsnvE7YZZ46k1HzMGlpJg
+aPFJOKAbYuMYG6f5PY634Qn6qWBuyeorj8epZBlY1f573Kko1AwTjAdBgNVHQ4E
FgQU6k2A1GIkIUw+BkDRJLV+664BKQYwHwYDVR0jBBgwFoAU6k2A1GIkIUw+BkDR
JLV+664BKQYwDAYDVR0TBAUwAwEB/zAJBgcqhkjOPQQBA0gAMEUCIQCYpIAwCJ+p
X/C2F6Cqa3xU6dpfuFnwqHL4PfQX4Yv+TQIgewShairhIVKvpWicOnuChYY72RjZ
EmVg3uQq9XxPfiI=
-----END CERTIFICATE-----
subject=/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu
issuer=/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu
---
No client certificate CA names sent
---
SSL handshake has read 828 bytes and written 445 bytes
---
New, TLSv1/SSLv3, Cipher is ECDH-ECDSA-AES256-GCM-SHA384
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDH-ECDSA-AES256-GCM-SHA384
    Session-ID:
AE5EAC55628B803E4D395AF88A0BBF5536FD0A051E31E6261A92E997B270EA3C
    Session-ID-ctx:
    Master-Key:
45C7008AD0BD31B57F786226278BF1CD98C6BA464EF529D60E48FC9BFB60E286412BDAB0CB51EAE6763B822E81F32B6A
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 2e 81 a3 90 ff 13 f9 8b-e9 87 1c 56 c4 dc 49 51
...........V..IQ
    0010 - c2 f3 2b f9 61 45 20 d5-a8 50 50 eb f4 1d 41 cf   ..+.aE
..PP...A.
    0020 - d7 76 29 03 b5 5b 35 c4-e9 c3 d8 c3 3b 3e 6d c9
.v)..[5.....;>m.
    0030 - d7 cb 92 d9 ab ac 54 23-df 39 2d 5a f1 fc 5e 21
......T#.9-Z..^!
    0040 - cb a0 37 ea 66 59 f6 1b-5f b7 91 2a d1 85 d3 ed
..7.fY.._..*....
    0050 - 5d 72 12 8b 5e dd 29 ac-8c 49 f6 07 50 ef ba 16
]r..^.)..I..P...
    0060 - 23 92 f6 63 79 d4 36 23-ba e9 a3 35 79 92 68 e6
#..cy.6#...5y.h.
    0070 - 0f c8 15 be ef 95 3c 77-ee 86 d1 85 27 20 e8 8a   ......<w....'
..
    0080 - 40 11 a1 d2 8e 8a 68 ab-5e c9 81 3d 72 46 56 d8
@.....h.^..=rFV.
    0090 - 84 66 b7 6f 57 ce 0f 05-d0 52 a4 d3 9c 66 de b4
.f.oW....R...f..
    00a0 - 85 cb 9f fe 85 16 e2 35-df 46 c2 c8 fc 37 bb 48
.......5.F...7.H

    Start Time: 1388926368
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
read:errno=0


/////////////////*******Server.xml***********************///////////////////////////

 <Connector port="8443"

protocol="org.apache.coyote.http11.Http11AprProtocol"
                SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               SSLProtocol="all"
               clientAuth="false"
               SSLCertificateFile="/home/san/sinful.pem"
               SSLCertificateKeyFile="/home/san/sinful.key" />


........................................................................................................................................................
How To Apply the patches.

1- https://issues.apache.org/bugzilla/attachment.cgi?id=30150 , this patch
will be applied to tomcat-native-1.1.29.  after the patch compile it using
cd tomcat-native-1.1.29/jni/native/
./configure --with-java=/usr/lib/jvm/java-1.7.0-openjdk-i386 --with-ssl=yes
--with-apr=/usr/bin/apr-1-config
make
cd tomcat-native-1.1.29/jni
ant

copy the libs and place them to default lib directory of ubuntu
cp tomcat-native-1.1.29/jni/native/.libs/* /usr/lib/i386-linux-gnu/


2- Get the source code of tomcat-7.0.47.
install  jdk6

apply this patch https://issues.apache.org/bugzilla/attachment.cgi?id=30166
to tomcat-7.0.47.
export the jdk6 path.
run "ant" in the source folder. this will download many files and also
compile the code.

there will be some errors related to SSLV2. comment that code. as sslv2
will no more supported. after the successful build start the tomcat server.

let me know if there is still any errors.

Regards,
San








On Sun, Jan 5, 2014 at 12:17 PM, Terence M. Bandoian <terence@tmbsw.com>wrote:

> On 1/4/2014 3:08 PM, Christopher Schultz wrote:
> > Musassir,
> >
> > On 1/3/14, 5:27 PM, Mudassir Aftab wrote:
> > > Again, we have to submit this as a bug.....TLS 1.2 is not working
> > > in Tomcat
> >
> > Tomcat 7.0.74
> > Oracle Java 1.7.0_45
> > tcnative 1.1.29 trunk (essentially 1.2.29
> >
> > tcnative$ make clean
> > tcnative$ ./configure --with-apr=`which apr-config`
> > --with-java-home=/usr/local/java-7 --with-ssl
> > tcnative$ time make
> > [...]
> > make[1]: Leaving directory
> > `/home/cschultz/projects/tomcat-native-1.1.x/native'
> >
> > real    0m14.790s
> > user    0m15.300s
> > sys    0m1.840s
> >
> > tcnative$ cp -d .libs/* $CATALINA_HOME/bin
> >
> > tcnative$ cd $CATALINA_BASE
> >
> > tomcat$ cat conf/server.xml
> >
> > [...]
> >        <Connector port="8218"
> >                protocol="org.apache.coyote.http11.Http11AprProtocol"
> >                SSLEnabled="true"
> >                secure="true"
> >                scheme="https"
> >                SSLCertificateKeyFile="[...]"
> >                SSLCertificateFile="[...]"
> >                SSLCertificateChainFile="[...]"
> >                SSLProtocol="all"
> >                executor="tomcatThreadPool"
> >                URIEncoding="UTF-8" />
> > [...]
> >
> > tomcat$ bin/startup.sh
> >
> > [...]
> > Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener
> init
> > INFO: Loaded APR based Apache Tomcat Native library 1.1.30 using APR
> > version 1.4.6.
> > Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener
> init
> > INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
> > [false], random [true].
> > Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener
> > initializeSSL
> > INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013)
> > [...]
> >
> > tomcat$ openssl s_client -connect myhost:8218
> > [...]
> > verify error:num=19:self signed certificate in certificate chain
> > [...]
> > SSL-Session:
> >     Protocol  : TLSv1.2
> >     Cipher    : DHE-RSA-AES256-GCM-SHA384
> > [...]
> >
> > *disconnect*
> >
> > I can confirm that Mozilla Firefox 26 on Mac OS X 10.9 can connect
> > using TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA cipher.
> >
> > Looks like TLS1.2 works just fine in the default configuration
> > (SSLProtocol="all" is the default).
> >
> > Let's try your configuration. I'm only going to change SSLProtocol
> > from "all" to "TLSv1":
> >
> >        <Connector port="8218"
> >                protocol="org.apache.coyote.http11.Http11AprProtocol"
> >                SSLEnabled="true"
> >                secure="true"
> >                scheme="https"
> >                SSLCertificateKeyFile="[...]"
> >                SSLCertificateFile="[...]"
> >                SSLCertificateChainFile="[...]"
> >                SSLProtocol="TLSv1"
> >                executor="tomcatThreadPool"
> >                URIEncoding="UTF-8" />
> >
> > * Restart Tomcat*
> >
> > tomcat$ openssl s_client -connect myhost:8218
> > [...]
> > SSL-Session:
> >     Protocol  : TLSv1
> >     Cipher    : DHE-RSA-AES256-SHA
> > [...]
> >
> > Trying again with Firefox 26 give me
> > cipher=TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA.
> >
> > Let's try restricting to only your cipher. Let's make sure that my
> > OpenSSL version supports it, first:
> >
> > tomcat$ openssl ciphers -v | grep ECDHE-ECDSA-AES128-SHA256
> > ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)
> > Mac=SHA256
> >
> >
> > Yup. Let's configure it in Tomcat:
> >
> >        <Connector port="8218"
> >                protocol="org.apache.coyote.http11.Http11AprProtocol"
> >                SSLEnabled="true"
> >                secure="true"
> >                scheme="https"
> >                SSLCipherSuite="ECDHE-ECDSA-AES128-SHA256"
> >                SSLCertificateKeyFile="[...]"
> >                SSLCertificateFile="[...]"
> >                SSLCertificateChainFile="[...]"
> >                SSLProtocol="TLSv1"
> >                executor="tomcatThreadPool"
> >                URIEncoding="UTF-8" />
> >
> >
> > $ openssl s_client -connect myhost:8218
> > CONNECTED(00000003)
> > 139718306563752:error:14077410:SSL
> > routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
> > failure:s23_clnt.c:741:
> >
> > $ openssl s_client -tls1 -connect myhost:8218
> > CONNECTED(00000003)
> > 139965071759016:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
> > alert handshake failure:s3_pkt.c:1256:SSL alert number 40
> > 139965071759016:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
> > handshake failure:s3_pkt.c:596:
> >
> > $ openssl s_client -tls1_1 -connect myhost:8218
> > CONNECTED(00000003)
> > 140680041133736:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
> > version number:s3_pkt.c:337:
> >
> > $ openssl s_client -tls1_2 -connect myhost:8218
> > CONNECTED(00000003)
> > 139976873068200:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
> > version number:s3_pkt.c:337:
> >
> > Firefox also fails with "ssl_error_no_cypher_overlap".
> >
> > $ $ sslscan myhost:8218
> >                    _
> >            ___ ___| |___  ___ __ _ _ __
> >           / __/ __| / __|/ __/ _` | '_ \
> >           \__ \__ \ \__ \ (_| (_| | | | |
> >           |___/___/_|___/\___\__,_|_| |_|
> >
> >                   Version 1.8.2
> >              http://www.titania.co.uk
> >         Copyright Ian Ventura-Whiting 2009
> >
> > Testing SSL server myhost on port 8218
> >
> >   Supported Server Cipher(s):
> >     Failed    SSLv3  256 bits  ECDHE-RSA-AES256-GCM-SHA384
> >     Failed    SSLv3  256 bits  ECDHE-ECDSA-AES256-GCM-SHA384
> >     Failed    SSLv3  256 bits  ECDHE-RSA-AES256-SHA384
> >     Failed    SSLv3  256 bits  ECDHE-ECDSA-AES256-SHA384
> >     Rejected  SSLv3  256 bits  ECDHE-RSA-AES256-SHA
> >     Rejected  SSLv3  256 bits  ECDHE-ECDSA-AES256-SHA
> >     Rejected  SSLv3  256 bits  SRP-DSS-AES-256-CBC-SHA
> >     Rejected  SSLv3  256 bits  SRP-RSA-AES-256-CBC-SHA
> >     Failed    SSLv3  256 bits  DHE-DSS-AES256-GCM-SHA384
> >     Failed    SSLv3  256 bits  DHE-RSA-AES256-GCM-SHA384
> >     Failed    SSLv3  256 bits  DHE-RSA-AES256-SHA256
> >     Failed    SSLv3  256 bits  DHE-DSS-AES256-SHA256
> >     Rejected  SSLv3  256 bits  DHE-RSA-AES256-SHA
> >     Rejected  SSLv3  256 bits  DHE-DSS-AES256-SHA
> >     Rejected  SSLv3  256 bits  DHE-RSA-CAMELLIA256-SHA
> >     Rejected  SSLv3  256 bits  DHE-DSS-CAMELLIA256-SHA
> >     Rejected  SSLv3  256 bits  AECDH-AES256-SHA
> >     Rejected  SSLv3  256 bits  SRP-AES-256-CBC-SHA
> >     Failed    SSLv3  256 bits  ADH-AES256-GCM-SHA384
> >     Failed    SSLv3  256 bits  ADH-AES256-SHA256
> >     Rejected  SSLv3  256 bits  ADH-AES256-SHA
> >     Rejected  SSLv3  256 bits  ADH-CAMELLIA256-SHA
> >     Failed    SSLv3  256 bits  ECDH-RSA-AES256-GCM-SHA384
> >     Failed    SSLv3  256 bits  ECDH-ECDSA-AES256-GCM-SHA384
> >     Failed    SSLv3  256 bits  ECDH-RSA-AES256-SHA384
> >     Failed    SSLv3  256 bits  ECDH-ECDSA-AES256-SHA384
> >     Rejected  SSLv3  256 bits  ECDH-RSA-AES256-SHA
> >     Rejected  SSLv3  256 bits  ECDH-ECDSA-AES256-SHA
> >     Failed    SSLv3  256 bits  AES256-GCM-SHA384
> >     Failed    SSLv3  256 bits  AES256-SHA256
> >     Rejected  SSLv3  256 bits  AES256-SHA
> >     Rejected  SSLv3  256 bits  CAMELLIA256-SHA
> >     Failed    SSLv3  256 bits  PSK-AES256-CBC-SHA
> >     Rejected  SSLv3  168 bits  ECDHE-RSA-DES-CBC3-SHA
> >     Rejected  SSLv3  168 bits  ECDHE-ECDSA-DES-CBC3-SHA
> >     Rejected  SSLv3  168 bits  SRP-DSS-3DES-EDE-CBC-SHA
> >     Rejected  SSLv3  168 bits  SRP-RSA-3DES-EDE-CBC-SHA
> >     Rejected  SSLv3  168 bits  EDH-RSA-DES-CBC3-SHA
> >     Rejected  SSLv3  168 bits  EDH-DSS-DES-CBC3-SHA
> >     Rejected  SSLv3  168 bits  AECDH-DES-CBC3-SHA
> >     Rejected  SSLv3  168 bits  SRP-3DES-EDE-CBC-SHA
> >     Rejected  SSLv3  168 bits  ADH-DES-CBC3-SHA
> >     Rejected  SSLv3  168 bits  ECDH-RSA-DES-CBC3-SHA
> >     Rejected  SSLv3  168 bits  ECDH-ECDSA-DES-CBC3-SHA
> >     Rejected  SSLv3  168 bits  DES-CBC3-SHA
> >     Failed    SSLv3  168 bits  PSK-3DES-EDE-CBC-SHA
> >     Failed    SSLv3  128 bits  ECDHE-RSA-AES128-GCM-SHA256
> >     Failed    SSLv3  128 bits  ECDHE-ECDSA-AES128-GCM-SHA256
> >     Failed    SSLv3  128 bits  ECDHE-RSA-AES128-SHA256
> >     Failed    SSLv3  128 bits  ECDHE-ECDSA-AES128-SHA256
> >     Rejected  SSLv3  128 bits  ECDHE-RSA-AES128-SHA
> >     Rejected  SSLv3  128 bits  ECDHE-ECDSA-AES128-SHA
> >     Rejected  SSLv3  128 bits  SRP-DSS-AES-128-CBC-SHA
> >     Rejected  SSLv3  128 bits  SRP-RSA-AES-128-CBC-SHA
> >     Failed    SSLv3  128 bits  DHE-DSS-AES128-GCM-SHA256
> >     Failed    SSLv3  128 bits  DHE-RSA-AES128-GCM-SHA256
> >     Failed    SSLv3  128 bits  DHE-RSA-AES128-SHA256
> >     Failed    SSLv3  128 bits  DHE-DSS-AES128-SHA256
> >     Rejected  SSLv3  128 bits  DHE-RSA-AES128-SHA
> >     Rejected  SSLv3  128 bits  DHE-DSS-AES128-SHA
> >     Rejected  SSLv3  128 bits  DHE-RSA-SEED-SHA
> >     Rejected  SSLv3  128 bits  DHE-DSS-SEED-SHA
> >     Rejected  SSLv3  128 bits  DHE-RSA-CAMELLIA128-SHA
> >     Rejected  SSLv3  128 bits  DHE-DSS-CAMELLIA128-SHA
> >     Rejected  SSLv3  128 bits  AECDH-AES128-SHA
> >     Rejected  SSLv3  128 bits  SRP-AES-128-CBC-SHA
> >     Failed    SSLv3  128 bits  ADH-AES128-GCM-SHA256
> >     Failed    SSLv3  128 bits  ADH-AES128-SHA256
> >     Rejected  SSLv3  128 bits  ADH-AES128-SHA
> >     Rejected  SSLv3  128 bits  ADH-SEED-SHA
> >     Rejected  SSLv3  128 bits  ADH-CAMELLIA128-SHA
> >     Failed    SSLv3  128 bits  ECDH-RSA-AES128-GCM-SHA256
> >     Failed    SSLv3  128 bits  ECDH-ECDSA-AES128-GCM-SHA256
> >     Failed    SSLv3  128 bits  ECDH-RSA-AES128-SHA256
> >     Failed    SSLv3  128 bits  ECDH-ECDSA-AES128-SHA256
> >     Rejected  SSLv3  128 bits  ECDH-RSA-AES128-SHA
> >     Rejected  SSLv3  128 bits  ECDH-ECDSA-AES128-SHA
> >     Failed    SSLv3  128 bits  AES128-GCM-SHA256
> >     Failed    SSLv3  128 bits  AES128-SHA256
> >     Rejected  SSLv3  128 bits  AES128-SHA
> >     Rejected  SSLv3  128 bits  SEED-SHA
> >     Rejected  SSLv3  128 bits  CAMELLIA128-SHA
> >     Failed    SSLv3  128 bits  PSK-AES128-CBC-SHA
> >     Rejected  SSLv3  128 bits  ECDHE-RSA-RC4-SHA
> >     Rejected  SSLv3  128 bits  ECDHE-ECDSA-RC4-SHA
> >     Rejected  SSLv3  128 bits  AECDH-RC4-SHA
> >     Rejected  SSLv3  128 bits  ADH-RC4-MD5
> >     Rejected  SSLv3  128 bits  ECDH-RSA-RC4-SHA
> >     Rejected  SSLv3  128 bits  ECDH-ECDSA-RC4-SHA
> >     Rejected  SSLv3  128 bits  RC4-SHA
> >     Rejected  SSLv3  128 bits  RC4-MD5
> >     Failed    SSLv3  128 bits  PSK-RC4-SHA
> >     Rejected  SSLv3  56 bits   EDH-RSA-DES-CBC-SHA
> >     Rejected  SSLv3  56 bits   EDH-DSS-DES-CBC-SHA
> >     Rejected  SSLv3  56 bits   ADH-DES-CBC-SHA
> >     Rejected  SSLv3  56 bits   DES-CBC-SHA
> >     Rejected  SSLv3  40 bits   EXP-EDH-RSA-DES-CBC-SHA
> >     Rejected  SSLv3  40 bits   EXP-EDH-DSS-DES-CBC-SHA
> >     Rejected  SSLv3  40 bits   EXP-ADH-DES-CBC-SHA
> >     Rejected  SSLv3  40 bits   EXP-DES-CBC-SHA
> >     Rejected  SSLv3  40 bits   EXP-RC2-CBC-MD5
> >     Rejected  SSLv3  40 bits   EXP-ADH-RC4-MD5
> >     Rejected  SSLv3  40 bits   EXP-RC4-MD5
> >     Rejected  SSLv3  0 bits    ECDHE-RSA-NULL-SHA
> >     Rejected  SSLv3  0 bits    ECDHE-ECDSA-NULL-SHA
> >     Rejected  SSLv3  0 bits    AECDH-NULL-SHA
> >     Rejected  SSLv3  0 bits    ECDH-RSA-NULL-SHA
> >     Rejected  SSLv3  0 bits    ECDH-ECDSA-NULL-SHA
> >     Failed    SSLv3  0 bits    NULL-SHA256
> >     Rejected  SSLv3  0 bits    NULL-SHA
> >     Rejected  SSLv3  0 bits    NULL-MD5
> >     Failed    TLSv1  256 bits  ECDHE-RSA-AES256-GCM-SHA384
> >     Failed    TLSv1  256 bits  ECDHE-ECDSA-AES256-GCM-SHA384
> >     Failed    TLSv1  256 bits  ECDHE-RSA-AES256-SHA384
> >     Failed    TLSv1  256 bits  ECDHE-ECDSA-AES256-SHA384
> >     Rejected  TLSv1  256 bits  ECDHE-RSA-AES256-SHA
> >     Rejected  TLSv1  256 bits  ECDHE-ECDSA-AES256-SHA
> >     Rejected  TLSv1  256 bits  SRP-DSS-AES-256-CBC-SHA
> >     Rejected  TLSv1  256 bits  SRP-RSA-AES-256-CBC-SHA
> >     Failed    TLSv1  256 bits  DHE-DSS-AES256-GCM-SHA384
> >     Failed    TLSv1  256 bits  DHE-RSA-AES256-GCM-SHA384
> >     Failed    TLSv1  256 bits  DHE-RSA-AES256-SHA256
> >     Failed    TLSv1  256 bits  DHE-DSS-AES256-SHA256
> >     Rejected  TLSv1  256 bits  DHE-RSA-AES256-SHA
> >     Rejected  TLSv1  256 bits  DHE-DSS-AES256-SHA
> >     Rejected  TLSv1  256 bits  DHE-RSA-CAMELLIA256-SHA
> >     Rejected  TLSv1  256 bits  DHE-DSS-CAMELLIA256-SHA
> >     Rejected  TLSv1  256 bits  AECDH-AES256-SHA
> >     Rejected  TLSv1  256 bits  SRP-AES-256-CBC-SHA
> >     Failed    TLSv1  256 bits  ADH-AES256-GCM-SHA384
> >     Failed    TLSv1  256 bits  ADH-AES256-SHA256
> >     Rejected  TLSv1  256 bits  ADH-AES256-SHA
> >     Rejected  TLSv1  256 bits  ADH-CAMELLIA256-SHA
> >     Failed    TLSv1  256 bits  ECDH-RSA-AES256-GCM-SHA384
> >     Failed    TLSv1  256 bits  ECDH-ECDSA-AES256-GCM-SHA384
> >     Failed    TLSv1  256 bits  ECDH-RSA-AES256-SHA384
> >     Failed    TLSv1  256 bits  ECDH-ECDSA-AES256-SHA384
> >     Rejected  TLSv1  256 bits  ECDH-RSA-AES256-SHA
> >     Rejected  TLSv1  256 bits  ECDH-ECDSA-AES256-SHA
> >     Failed    TLSv1  256 bits  AES256-GCM-SHA384
> >     Failed    TLSv1  256 bits  AES256-SHA256
> >     Rejected  TLSv1  256 bits  AES256-SHA
> >     Rejected  TLSv1  256 bits  CAMELLIA256-SHA
> >     Failed    TLSv1  256 bits  PSK-AES256-CBC-SHA
> >     Rejected  TLSv1  168 bits  ECDHE-RSA-DES-CBC3-SHA
> >     Rejected  TLSv1  168 bits  ECDHE-ECDSA-DES-CBC3-SHA
> >     Rejected  TLSv1  168 bits  SRP-DSS-3DES-EDE-CBC-SHA
> >     Rejected  TLSv1  168 bits  SRP-RSA-3DES-EDE-CBC-SHA
> >     Rejected  TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA
> >     Rejected  TLSv1  168 bits  EDH-DSS-DES-CBC3-SHA
> >     Rejected  TLSv1  168 bits  AECDH-DES-CBC3-SHA
> >     Rejected  TLSv1  168 bits  SRP-3DES-EDE-CBC-SHA
> >     Rejected  TLSv1  168 bits  ADH-DES-CBC3-SHA
> >     Rejected  TLSv1  168 bits  ECDH-RSA-DES-CBC3-SHA
> >     Rejected  TLSv1  168 bits  ECDH-ECDSA-DES-CBC3-SHA
> >     Rejected  TLSv1  168 bits  DES-CBC3-SHA
> >     Failed    TLSv1  168 bits  PSK-3DES-EDE-CBC-SHA
> >     Failed    TLSv1  128 bits  ECDHE-RSA-AES128-GCM-SHA256
> >     Failed    TLSv1  128 bits  ECDHE-ECDSA-AES128-GCM-SHA256
> >     Failed    TLSv1  128 bits  ECDHE-RSA-AES128-SHA256
> >     Failed    TLSv1  128 bits  ECDHE-ECDSA-AES128-SHA256
> >     Rejected  TLSv1  128 bits  ECDHE-RSA-AES128-SHA
> >     Rejected  TLSv1  128 bits  ECDHE-ECDSA-AES128-SHA
> >     Rejected  TLSv1  128 bits  SRP-DSS-AES-128-CBC-SHA
> >     Rejected  TLSv1  128 bits  SRP-RSA-AES-128-CBC-SHA
> >     Failed    TLSv1  128 bits  DHE-DSS-AES128-GCM-SHA256
> >     Failed    TLSv1  128 bits  DHE-RSA-AES128-GCM-SHA256
> >     Failed    TLSv1  128 bits  DHE-RSA-AES128-SHA256
> >     Failed    TLSv1  128 bits  DHE-DSS-AES128-SHA256
> >     Rejected  TLSv1  128 bits  DHE-RSA-AES128-SHA
> >     Rejected  TLSv1  128 bits  DHE-DSS-AES128-SHA
> >     Rejected  TLSv1  128 bits  DHE-RSA-SEED-SHA
> >     Rejected  TLSv1  128 bits  DHE-DSS-SEED-SHA
> >     Rejected  TLSv1  128 bits  DHE-RSA-CAMELLIA128-SHA
> >     Rejected  TLSv1  128 bits  DHE-DSS-CAMELLIA128-SHA
> >     Rejected  TLSv1  128 bits  AECDH-AES128-SHA
> >     Rejected  TLSv1  128 bits  SRP-AES-128-CBC-SHA
> >     Failed    TLSv1  128 bits  ADH-AES128-GCM-SHA256
> >     Failed    TLSv1  128 bits  ADH-AES128-SHA256
> >     Rejected  TLSv1  128 bits  ADH-AES128-SHA
> >     Rejected  TLSv1  128 bits  ADH-SEED-SHA
> >     Rejected  TLSv1  128 bits  ADH-CAMELLIA128-SHA
> >     Failed    TLSv1  128 bits  ECDH-RSA-AES128-GCM-SHA256
> >     Failed    TLSv1  128 bits  ECDH-ECDSA-AES128-GCM-SHA256
> >     Failed    TLSv1  128 bits  ECDH-RSA-AES128-SHA256
> >     Failed    TLSv1  128 bits  ECDH-ECDSA-AES128-SHA256
> >     Rejected  TLSv1  128 bits  ECDH-RSA-AES128-SHA
> >     Rejected  TLSv1  128 bits  ECDH-ECDSA-AES128-SHA
> >     Failed    TLSv1  128 bits  AES128-GCM-SHA256
> >     Failed    TLSv1  128 bits  AES128-SHA256
> >     Rejected  TLSv1  128 bits  AES128-SHA
> >     Rejected  TLSv1  128 bits  SEED-SHA
> >     Rejected  TLSv1  128 bits  CAMELLIA128-SHA
> >     Failed    TLSv1  128 bits  PSK-AES128-CBC-SHA
> >     Rejected  TLSv1  128 bits  ECDHE-RSA-RC4-SHA
> >     Rejected  TLSv1  128 bits  ECDHE-ECDSA-RC4-SHA
> >     Rejected  TLSv1  128 bits  AECDH-RC4-SHA
> >     Rejected  TLSv1  128 bits  ADH-RC4-MD5
> >     Rejected  TLSv1  128 bits  ECDH-RSA-RC4-SHA
> >     Rejected  TLSv1  128 bits  ECDH-ECDSA-RC4-SHA
> >     Rejected  TLSv1  128 bits  RC4-SHA
> >     Rejected  TLSv1  128 bits  RC4-MD5
> >     Failed    TLSv1  128 bits  PSK-RC4-SHA
> >     Rejected  TLSv1  56 bits   EDH-RSA-DES-CBC-SHA
> >     Rejected  TLSv1  56 bits   EDH-DSS-DES-CBC-SHA
> >     Rejected  TLSv1  56 bits   ADH-DES-CBC-SHA
> >     Rejected  TLSv1  56 bits   DES-CBC-SHA
> >     Rejected  TLSv1  40 bits   EXP-EDH-RSA-DES-CBC-SHA
> >     Rejected  TLSv1  40 bits   EXP-EDH-DSS-DES-CBC-SHA
> >     Rejected  TLSv1  40 bits   EXP-ADH-DES-CBC-SHA
> >     Rejected  TLSv1  40 bits   EXP-DES-CBC-SHA
> >     Rejected  TLSv1  40 bits   EXP-RC2-CBC-MD5
> >     Rejected  TLSv1  40 bits   EXP-ADH-RC4-MD5
> >     Rejected  TLSv1  40 bits   EXP-RC4-MD5
> >     Rejected  TLSv1  0 bits    ECDHE-RSA-NULL-SHA
> >     Rejected  TLSv1  0 bits    ECDHE-ECDSA-NULL-SHA
> >     Rejected  TLSv1  0 bits    AECDH-NULL-SHA
> >     Rejected  TLSv1  0 bits    ECDH-RSA-NULL-SHA
> >     Rejected  TLSv1  0 bits    ECDH-ECDSA-NULL-SHA
> >     Failed    TLSv1  0 bits    NULL-SHA256
> >     Rejected  TLSv1  0 bits    NULL-SHA
> >     Rejected  TLSv1  0 bits    NULL-MD5
> >
> > The cipher appears to be supported by both client (OpenSSL s_client)
> > and server (Also using the same version of OpenSSL) but the handshake
> > cannot complete.
> >
> > Let's try another cipher. How about one that worked before:
> > DHE-RSA-AES256-SHA
> >
> >
> >        <Connector port="8218"
> >                protocol="org.apache.coyote.http11.Http11AprProtocol"
> >                SSLEnabled="true"
> >                secure="true"
> >                scheme="https"
> >                SSLCipherSuite="DHE-RSA-AES256-SHA"
> >                SSLCertificateKeyFile="[...]"
> >                SSLCertificateFile="[...]"
> >                SSLCertificateChainFile="[...]"
> >                SSLProtocol="TLSv1"
> >                executor="tomcatThreadPool"
> >                URIEncoding="UTF-8" />
> >
> > $ openssl c_client -connect myhost:8218
> > [...]
> > SSL-Session:
> >     Protocol  : TLSv1
> >     Cipher    : DHE-RSA-AES256-SHA
> > [...]
> >
> > Works. Firefox 26 also works.
> >
> > There must be some kind of problem with configuring
> > ECDHE-ECDSA-AES128-SHA256 specifically. Try another cipher?
> >
> > -chris
>
>
> Nice work.  Really generous.
>
> -Terence Bandoian
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message