tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sanaullah <sanaulla...@gmail.com>
Subject Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
Date Sun, 05 Jan 2014 03:18:58 GMT
you can create the ECC self singed certificates using the below two
commands of Openssl

openssl ecparam -out sinful.key -name prime256v1 -genkey
openssl req -x509 -new -key sinful.key -out sinful-ca.pem -outform PEM
-days 3650

root@ubuntu:/# openssl s_client -connect localhost:8443
CONNECTED(00000003)
Server certificate
-----BEGIN CERTIFICATE-----
MIIB5zCCAY6gAwIBAgIJAIgQsiTjPbouMAkGByqGSM49BAEwUTELMAkGA1UEBhMC
TVgxEzARBgNVBAgMClNvbWUtU3RhdGUxDDAKBgNVBAoMA3VuaTEOMAwGA1UECwwF
YWRtaW4xDzANBgNVBAMMBnVidW50dTAeFw0xNDAxMDUwMjE0NDZaFw0yNDAxMDMw
MjE0NDZaMFExCzAJBgNVBAYTAk1YMRMwEQYDVQQIDApTb21lLVN0YXRlMQwwCgYD
VQQKDAN1bmkxDjAMBgNVBAsMBWFkbWluMQ8wDQYDVQQDDAZ1YnVudHUwWTATBgcq
hkjOPQIBBggqhkjOPQMBBwNCAAQMy2uSVwbPg1wPOXrqsnvE7YZZ46k1HzMGlpJg
+aPFJOKAbYuMYG6f5PY634Qn6qWBuyeorj8epZBlY1f573Kko1AwTjAdBgNVHQ4E
FgQU6k2A1GIkIUw+BkDRJLV+664BKQYwHwYDVR0jBBgwFoAU6k2A1GIkIUw+BkDR
JLV+664BKQYwDAYDVR0TBAUwAwEB/zAJBgcqhkjOPQQBA0gAMEUCIQCYpIAwCJ+p
X/C2F6Cqa3xU6dpfuFnwqHL4PfQX4Yv+TQIgewShairhIVKvpWicOnuChYY72RjZ
EmVg3uQq9XxPfiI=
-----END CERTIFICATE-----

---
SSL handshake has read 836 bytes and written 453 bytes
---
New, TLSv1/SSLv3, Cipher is ECDH-ECDSA-AES256-SHA
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDH-ECDSA-AES256-SHA
    Session-ID:
0BC1B06C5FF21C1AF5E303269E3FF71D4ADBD65F2D9C89E82E1C7EF5A285EC12
    Session-ID-ctx:
    Master-Key:
7C86159B8A5003E2812D464FD59BD1ED05B87FE68123BAE0B3F5C7C773ACD76133F109E3525560DCFF9687C6DFB764D1
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 39 18 5f 31 c0 e2 a0 1e-78 b8 66 7d 47 7b 1c de
9._1....x.f}G{..
    0010 - 84 88 b3 25 b3 15 0c ca-d1 37 73 be 50 b8 8e 3e
...%.....7s.P..>
    0020 - e5 51 62 04 8f 84 c6 b5-a9 6d aa 36 97 85 e9 05
.Qb......m.6....
    0030 - 71 5e d5 83 c3 88 fb 34-c2 98 5b b4 18 09 89 1f
q^.....4..[.....
    0040 - 5c 3f 6d cf 16 a5 3b 7f-dc 36 0d 3f fa 8d 55 b4
\?m...;..6.?..U.
    0050 - 48 37 73 8f 75 22 88 da-28 e7 16 06 7c b2 ad 36
H7s.u"..(...|..6
    0060 - 44 16 de e3 12 31 33 6e-51 19 4f 5e b7 d9 08 ab
D....13nQ.O^....
    0070 - 90 ce 7b eb 69 e4 8a 77-ca 3a de 6a ec f9 30 7c
..{.i..w.:.j..0|
    0080 - eb a0 e6 3f 8c 16 61 c4-2d 58 4b 9b fc 14 b5 84
...?..a.-XK.....
    0090 - 49 4c 22 6d 56 a5 55 e4-16 27 7a 3f a4 d8 96 91
IL"mV.U..'z?....
    00a0 - a1 b6 bd 9c ef e9 fd 4e-77 e4 b2 22 13 d0 95 68
.......Nw.."...h

    Start Time: 1388891510
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---


I am also unable to initialize any TLS1.1 or TLS1.2 related ECC Ciphers

Here is my config
tomcat 7.0.47
libapr 1.5.0-1
tcnative 1.1.29-1

<Connector port="8443"
               SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               SSLProtocol="all"
               SSLCertificateFile="/home/san/sinful.pem"
               SSLCertificateKeyFile="/home/san/sinful.key" />




On Sun, Jan 5, 2014 at 6:02 AM, Christopher Schultz <
chris@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Mark,
>
> On 1/4/14, 6:37 PM, Mark Eggers wrote:
> > On 1/4/2014 1:18 PM, Christopher Schultz wrote:
> >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
> >>
> >> Musassir,
> >>
> >> On 1/4/14, 4:08 PM, Christopher Schultz wrote:
> >>> Musassir,
> >>>
> >>> On 1/3/14, 5:27 PM, Mudassir Aftab wrote:
> >>>> Again, we have to submit this as a bug.....TLS 1.2 is not
> >>>> working in Tomcat
> >>>
> >>> Tomcat 7.0.74 Oracle Java 1.7.0_45 tcnative 1.1.29 trunk
> >>> (essentially 1.2.29
> >>>
> >>> tcnative$ make clean tcnative$ ./configure --with-apr=`which
> >>> apr-config` --with-java-home=/usr/local/java-7 --with-ssl
> >>> tcnative$ time make [...] make[1]: Leaving directory
> >>> `/home/cschultz/projects/tomcat-native-1.1.x/native'
> >>>
> >>> real    0m14.790s user    0m15.300s sys    0m1.840s
> >>>
> >>> tcnative$ cp -d .libs/* $CATALINA_HOME/bin
> >>>
> >>> tcnative$ cd $CATALINA_BASE
> >>>
> >>> tomcat$ cat conf/server.xml
> >>>
> >>> [...] <Connector port="8218"
> >>> protocol="org.apache.coyote.http11.Http11AprProtocol"
> >>> SSLEnabled="true" secure="true" scheme="https"
> >>> SSLCertificateKeyFile="[...]" SSLCertificateFile="[...]"
> >>> SSLCertificateChainFile="[...]" SSLProtocol="all"
> >>> executor="tomcatThreadPool" URIEncoding="UTF-8" /> [...]
> >>>
> >>> tomcat$ bin/startup.sh
> >>>
> >>> [...] Jan 04, 2014 3:17:26 PM
> >>> org.apache.catalina.core.AprLifecycleListener init INFO: Loaded
> >>> APR based Apache Tomcat Native library 1.1.30 using APR version
> >>> 1.4.6. Jan 04, 2014 3:17:26 PM
> >>> org.apache.catalina.core.AprLifecycleListener init INFO: APR
> >>> capabilities: IPv6 [true], sendfile [true], accept filters
> >>> [false], random [true]. Jan 04, 2014 3:17:26 PM
> >>> org.apache.catalina.core.AprLifecycleListener initializeSSL
> >>> INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb
> >>> 2013) [...]
> >>>
> >>> tomcat$ openssl s_client -connect myhost:8218 [...] verify
> >>> error:num=19:self signed certificate in certificate chain
> >>> [...] SSL-Session: Protocol  : TLSv1.2 Cipher    :
> >>> DHE-RSA-AES256-GCM-SHA384 [...]
> >>>
> >>> *disconnect*
> >>>
> >>> I can confirm that Mozilla Firefox 26 on Mac OS X 10.9 can
> >>> connect using TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA cipher.
> >>>
> >>> Looks like TLS1.2 works just fine in the default configuration
> >>> (SSLProtocol="all" is the default).
> >>>
> >>> Let's try your configuration. I'm only going to change
> >>> SSLProtocol from "all" to "TLSv1":
> >>>
> >>> <Connector port="8218"
> >>> protocol="org.apache.coyote.http11.Http11AprProtocol"
> >>> SSLEnabled="true" secure="true" scheme="https"
> >>> SSLCertificateKeyFile="[...]" SSLCertificateFile="[...]"
> >>> SSLCertificateChainFile="[...]" SSLProtocol="TLSv1"
> >>> executor="tomcatThreadPool" URIEncoding="UTF-8" />
> >>>
> >>> * Restart Tomcat*
> >>>
> >>> tomcat$ openssl s_client -connect myhost:8218 [...]
> >>> SSL-Session: Protocol  : TLSv1 Cipher    : DHE-RSA-AES256-SHA
> >>> [...]
> >>>
> >>> Trying again with Firefox 26 give me
> >>> cipher=TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA.
> >>>
> >>> Let's try restricting to only your cipher. Let's make sure that
> >>> my OpenSSL version supports it, first:
> >>>
> >>> tomcat$ openssl ciphers -v | grep ECDHE-ECDSA-AES128-SHA256
> >>> ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA
> >>> Enc=AES(128) Mac=SHA256
> >>>
> >>>
> >>> Yup. Let's configure it in Tomcat:
> >>>
> >>> <Connector port="8218"
> >>> protocol="org.apache.coyote.http11.Http11AprProtocol"
> >>> SSLEnabled="true" secure="true" scheme="https"
> >>> SSLCipherSuite="ECDHE-ECDSA-AES128-SHA256"
> >>> SSLCertificateKeyFile="[...]" SSLCertificateFile="[...]"
> >>> SSLCertificateChainFile="[...]" SSLProtocol="TLSv1"
> >>> executor="tomcatThreadPool" URIEncoding="UTF-8" />
> >>>
> >>>
> >>> $ openssl s_client -connect myhost:8218 CONNECTED(00000003)
> >>> 139718306563752:error:14077410:SSL
> >>> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
> >>> failure:s23_clnt.c:741:
> >>>
> >>> $ openssl s_client -tls1 -connect myhost:8218
> >>> CONNECTED(00000003) 139965071759016:error:14094410:SSL
> >>> routines:SSL3_READ_BYTES:sslv3 alert handshake
> >>> failure:s3_pkt.c:1256:SSL alert number 40
> >>> 139965071759016:error:1409E0E5:SSL
> >>> routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
> >>>
> >>> $ openssl s_client -tls1_1 -connect myhost:8218
> >>> CONNECTED(00000003) 140680041133736:error:1408F10B:SSL
> >>> routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:
> >>>
> >>> $ openssl s_client -tls1_2 -connect myhost:8218
> >>> CONNECTED(00000003) 139976873068200:error:1408F10B:SSL
> >>> routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:
> >>>
> >>> Firefox also fails with "ssl_error_no_cypher_overlap".
> >>>
> >>> $ $ sslscan myhost:8218 _ ___ ___| |___  ___ __ _ _ __ / __/
> >>> __| / __|/ __/ _` | '_ \ \__ \__ \ \__ \ (_| (_| | | | |
> >>> |___/___/_|___/\___\__,_|_| |_|
> >>>
> >>> Version 1.8.2 http://www.titania.co.uk Copyright Ian
> >>> Ventura-Whiting 2009
> >>>
> >>> Testing SSL server myhost on port 8218
> >>>
> >>> Supported Server Cipher(s): Failed    SSLv3  256 bits
> >>> ECDHE-RSA-AES256-GCM-SHA384 Failed    SSLv3  256 bits
> >>> ECDHE-ECDSA-AES256-GCM-SHA384 Failed    SSLv3  256 bits
> >>> ECDHE-RSA-AES256-SHA384 Failed    SSLv3  256 bits
> >>> ECDHE-ECDSA-AES256-SHA384 Rejected  SSLv3  256 bits
> >>> ECDHE-RSA-AES256-SHA Rejected  SSLv3  256 bits
> >>> ECDHE-ECDSA-AES256-SHA Rejected  SSLv3  256 bits
> >>> SRP-DSS-AES-256-CBC-SHA Rejected  SSLv3  256 bits
> >>> SRP-RSA-AES-256-CBC-SHA Failed    SSLv3  256 bits
> >>> DHE-DSS-AES256-GCM-SHA384 Failed    SSLv3  256 bits
> >>> DHE-RSA-AES256-GCM-SHA384 Failed    SSLv3  256 bits
> >>> DHE-RSA-AES256-SHA256 Failed    SSLv3  256 bits
> >>> DHE-DSS-AES256-SHA256 Rejected  SSLv3  256 bits
> >>> DHE-RSA-AES256-SHA Rejected  SSLv3  256 bits
> >>> DHE-DSS-AES256-SHA Rejected  SSLv3  256 bits
> >>> DHE-RSA-CAMELLIA256-SHA Rejected  SSLv3 256 bits
> >>> DHE-DSS-CAMELLIA256-SHA Rejected  SSLv3  256 bits
> >>> AECDH-AES256-SHA Rejected  SSLv3  256 bits
> >>> SRP-AES-256-CBC-SHA Failed    SSLv3  256 bits
> >>> ADH-AES256-GCM-SHA384 Failed    SSLv3 256 bits
> >>> ADH-AES256-SHA256 Rejected  SSLv3  256 bits ADH-AES256-SHA
> >>> Rejected  SSLv3  256 bits  ADH-CAMELLIA256-SHA Failed    SSLv3
> >>> 256 bits  ECDH-RSA-AES256-GCM-SHA384 Failed SSLv3  256 bits
> >>> ECDH-ECDSA-AES256-GCM-SHA384 Failed    SSLv3  256 bits
> >>> ECDH-RSA-AES256-SHA384 Failed    SSLv3  256 bits
> >>> ECDH-ECDSA-AES256-SHA384 Rejected  SSLv3  256 bits
> >>> ECDH-RSA-AES256-SHA Rejected  SSLv3  256 bits
> >>> ECDH-ECDSA-AES256-SHA Failed    SSLv3  256 bits
> >>> AES256-GCM-SHA384 Failed    SSLv3  256 bits  AES256-SHA256
> >>> Rejected  SSLv3  256 bits AES256-SHA Rejected  SSLv3  256 bits
> >>> CAMELLIA256-SHA Failed SSLv3  256 bits  PSK-AES256-CBC-SHA
> >>> Rejected  SSLv3  168 bits ECDHE-RSA-DES-CBC3-SHA Rejected
> >>> SSLv3  168 bits ECDHE-ECDSA-DES-CBC3-SHA Rejected  SSLv3  168
> >>> bits SRP-DSS-3DES-EDE-CBC-SHA Rejected  SSLv3  168 bits
> >>> SRP-RSA-3DES-EDE-CBC-SHA Rejected  SSLv3  168 bits
> >>> EDH-RSA-DES-CBC3-SHA Rejected  SSLv3  168 bits
> >>> EDH-DSS-DES-CBC3-SHA Rejected  SSLv3  168 bits
> >>> AECDH-DES-CBC3-SHA Rejected  SSLv3  168 bits
> >>> SRP-3DES-EDE-CBC-SHA Rejected  SSLv3 168 bits  ADH-DES-CBC3-SHA
> >>> Rejected  SSLv3  168 bits ECDH-RSA-DES-CBC3-SHA Rejected  SSLv3
> >>> 168 bits ECDH-ECDSA-DES-CBC3-SHA Rejected  SSLv3  168 bits
> >>> DES-CBC3-SHA Failed    SSLv3  168 bits  PSK-3DES-EDE-CBC-SHA
> >>> Failed    SSLv3 128 bits  ECDHE-RSA-AES128-GCM-SHA256 Failed
> >>> SSLv3  128 bits ECDHE-ECDSA-AES128-GCM-SHA256 Failed    SSLv3
> >>> 128 bits ECDHE-RSA-AES128-SHA256 Failed    SSLv3  128 bits
> >>> ECDHE-ECDSA-AES128-SHA256 Rejected  SSLv3  128 bits
> >>> ECDHE-RSA-AES128-SHA Rejected  SSLv3  128 bits
> >>> ECDHE-ECDSA-AES128-SHA Rejected  SSLv3  128 bits
> >>> SRP-DSS-AES-128-CBC-SHA Rejected  SSLv3  128 bits
> >>> SRP-RSA-AES-128-CBC-SHA Failed    SSLv3  128 bits
> >>> DHE-DSS-AES128-GCM-SHA256 Failed    SSLv3  128 bits
> >>> DHE-RSA-AES128-GCM-SHA256 Failed    SSLv3  128 bits
> >>> DHE-RSA-AES128-SHA256 Failed    SSLv3  128 bits
> >>> DHE-DSS-AES128-SHA256 Rejected  SSLv3  128 bits
> >>> DHE-RSA-AES128-SHA Rejected  SSLv3  128 bits
> >>> DHE-DSS-AES128-SHA Rejected  SSLv3  128 bits  DHE-RSA-SEED-SHA
> >>> Rejected  SSLv3  128 bits  DHE-DSS-SEED-SHA Rejected  SSLv3
> >>> 128 bits DHE-RSA-CAMELLIA128-SHA Rejected  SSLv3  128 bits
> >>> DHE-DSS-CAMELLIA128-SHA Rejected  SSLv3  128 bits
> >>> AECDH-AES128-SHA Rejected  SSLv3  128 bits
> >>> SRP-AES-128-CBC-SHA Failed    SSLv3  128 bits
> >>> ADH-AES128-GCM-SHA256 Failed    SSLv3 128 bits
> >>> ADH-AES128-SHA256 Rejected  SSLv3  128 bits ADH-AES128-SHA
> >>> Rejected  SSLv3  128 bits  ADH-SEED-SHA Rejected SSLv3  128
> >>> bits  ADH-CAMELLIA128-SHA Failed    SSLv3  128 bits
> >>> ECDH-RSA-AES128-GCM-SHA256 Failed    SSLv3  128 bits
> >>> ECDH-ECDSA-AES128-GCM-SHA256 Failed    SSLv3  128 bits
> >>> ECDH-RSA-AES128-SHA256 Failed    SSLv3  128 bits
> >>> ECDH-ECDSA-AES128-SHA256 Rejected  SSLv3  128 bits
> >>> ECDH-RSA-AES128-SHA Rejected  SSLv3  128 bits
> >>> ECDH-ECDSA-AES128-SHA Failed    SSLv3  128 bits
> >>> AES128-GCM-SHA256 Failed    SSLv3  128 bits  AES128-SHA256
> >>> Rejected  SSLv3  128 bits AES128-SHA Rejected  SSLv3  128 bits
> >>> SEED-SHA Rejected  SSLv3  128 bits  CAMELLIA128-SHA Failed
> >>> SSLv3  128 bits PSK-AES128-CBC-SHA Rejected  SSLv3  128 bits
> >>> ECDHE-RSA-RC4-SHA Rejected  SSLv3  128 bits
> >>> ECDHE-ECDSA-RC4-SHA Rejected  SSLv3  128 bits  AECDH-RC4-SHA
> >>> Rejected  SSLv3  128 bits  ADH-RC4-MD5 Rejected SSLv3  128 bits
> >>> ECDH-RSA-RC4-SHA Rejected  SSLv3  128 bits ECDH-ECDSA-RC4-SHA
> >>> Rejected  SSLv3  128 bits  RC4-SHA Rejected SSLv3  128 bits
> >>> RC4-MD5 Failed    SSLv3  128 bits  PSK-RC4-SHA Rejected  SSLv3
> >>> 56 bits   EDH-RSA-DES-CBC-SHA Rejected  SSLv3  56 bits
> >>> EDH-DSS-DES-CBC-SHA Rejected  SSLv3  56 bits ADH-DES-CBC-SHA
> >>> Rejected  SSLv3  56 bits   DES-CBC-SHA Rejected SSLv3  40 bits
> >>> EXP-EDH-RSA-DES-CBC-SHA Rejected  SSLv3  40 bits
> >>> EXP-EDH-DSS-DES-CBC-SHA Rejected  SSLv3  40 bits
> >>> EXP-ADH-DES-CBC-SHA Rejected  SSLv3  40 bits   EXP-DES-CBC-SHA
> >>> Rejected  SSLv3  40 bits   EXP-RC2-CBC-MD5 Rejected  SSLv3  40
> >>> bits EXP-ADH-RC4-MD5 Rejected  SSLv3  40 bits   EXP-RC4-MD5
> >>> Rejected SSLv3  0 bits    ECDHE-RSA-NULL-SHA Rejected  SSLv3  0
> >>> bits ECDHE-ECDSA-NULL-SHA Rejected  SSLv3  0 bits
> >>> AECDH-NULL-SHA Rejected  SSLv3  0 bits    ECDH-RSA-NULL-SHA
> >>> Rejected  SSLv3  0 bits    ECDH-ECDSA-NULL-SHA Failed    SSLv3
> >>> 0 bits    NULL-SHA256 Rejected  SSLv3  0 bits    NULL-SHA
> >>> Rejected  SSLv3  0 bits NULL-MD5 Failed    TLSv1  256 bits
> >>> ECDHE-RSA-AES256-GCM-SHA384 Failed    TLSv1  256 bits
> >>> ECDHE-ECDSA-AES256-GCM-SHA384 Failed TLSv1  256 bits
> >>> ECDHE-RSA-AES256-SHA384 Failed    TLSv1  256 bits
> >>> ECDHE-ECDSA-AES256-SHA384 Rejected  TLSv1  256 bits
> >>> ECDHE-RSA-AES256-SHA Rejected  TLSv1  256 bits
> >>> ECDHE-ECDSA-AES256-SHA Rejected  TLSv1  256 bits
> >>> SRP-DSS-AES-256-CBC-SHA Rejected  TLSv1  256 bits
> >>> SRP-RSA-AES-256-CBC-SHA Failed    TLSv1  256 bits
> >>> DHE-DSS-AES256-GCM-SHA384 Failed    TLSv1  256 bits
> >>> DHE-RSA-AES256-GCM-SHA384 Failed    TLSv1  256 bits
> >>> DHE-RSA-AES256-SHA256 Failed    TLSv1  256 bits
> >>> DHE-DSS-AES256-SHA256 Rejected  TLSv1  256 bits
> >>> DHE-RSA-AES256-SHA Rejected  TLSv1  256 bits
> >>> DHE-DSS-AES256-SHA Rejected  TLSv1  256 bits
> >>> DHE-RSA-CAMELLIA256-SHA Rejected  TLSv1 256 bits
> >>> DHE-DSS-CAMELLIA256-SHA Rejected  TLSv1  256 bits
> >>> AECDH-AES256-SHA Rejected  TLSv1  256 bits
> >>> SRP-AES-256-CBC-SHA Failed    TLSv1  256 bits
> >>> ADH-AES256-GCM-SHA384 Failed    TLSv1 256 bits
> >>> ADH-AES256-SHA256 Rejected  TLSv1  256 bits ADH-AES256-SHA
> >>> Rejected  TLSv1  256 bits  ADH-CAMELLIA256-SHA Failed    TLSv1
> >>> 256 bits  ECDH-RSA-AES256-GCM-SHA384 Failed TLSv1  256 bits
> >>> ECDH-ECDSA-AES256-GCM-SHA384 Failed    TLSv1  256 bits
> >>> ECDH-RSA-AES256-SHA384 Failed    TLSv1  256 bits
> >>> ECDH-ECDSA-AES256-SHA384 Rejected  TLSv1  256 bits
> >>> ECDH-RSA-AES256-SHA Rejected  TLSv1  256 bits
> >>> ECDH-ECDSA-AES256-SHA Failed    TLSv1  256 bits
> >>> AES256-GCM-SHA384 Failed    TLSv1  256 bits  AES256-SHA256
> >>> Rejected  TLSv1  256 bits AES256-SHA Rejected  TLSv1  256 bits
> >>> CAMELLIA256-SHA Failed TLSv1  256 bits  PSK-AES256-CBC-SHA
> >>> Rejected  TLSv1  168 bits ECDHE-RSA-DES-CBC3-SHA Rejected
> >>> TLSv1  168 bits ECDHE-ECDSA-DES-CBC3-SHA Rejected  TLSv1  168
> >>> bits SRP-DSS-3DES-EDE-CBC-SHA Rejected  TLSv1  168 bits
> >>> SRP-RSA-3DES-EDE-CBC-SHA Rejected  TLSv1  168 bits
> >>> EDH-RSA-DES-CBC3-SHA Rejected  TLSv1  168 bits
> >>> EDH-DSS-DES-CBC3-SHA Rejected  TLSv1  168 bits
> >>> AECDH-DES-CBC3-SHA Rejected  TLSv1  168 bits
> >>> SRP-3DES-EDE-CBC-SHA Rejected  TLSv1 168 bits  ADH-DES-CBC3-SHA
> >>> Rejected  TLSv1  168 bits ECDH-RSA-DES-CBC3-SHA Rejected  TLSv1
> >>> 168 bits ECDH-ECDSA-DES-CBC3-SHA Rejected  TLSv1  168 bits
> >>> DES-CBC3-SHA Failed    TLSv1  168 bits  PSK-3DES-EDE-CBC-SHA
> >>> Failed    TLSv1 128 bits  ECDHE-RSA-AES128-GCM-SHA256 Failed
> >>> TLSv1  128 bits ECDHE-ECDSA-AES128-GCM-SHA256 Failed    TLSv1
> >>> 128 bits ECDHE-RSA-AES128-SHA256 Failed    TLSv1  128 bits
> >>> ECDHE-ECDSA-AES128-SHA256 Rejected  TLSv1  128 bits
> >>> ECDHE-RSA-AES128-SHA Rejected  TLSv1  128 bits
> >>> ECDHE-ECDSA-AES128-SHA Rejected  TLSv1  128 bits
> >>> SRP-DSS-AES-128-CBC-SHA Rejected  TLSv1  128 bits
> >>> SRP-RSA-AES-128-CBC-SHA Failed    TLSv1  128 bits
> >>> DHE-DSS-AES128-GCM-SHA256 Failed    TLSv1  128 bits
> >>> DHE-RSA-AES128-GCM-SHA256 Failed    TLSv1  128 bits
> >>> DHE-RSA-AES128-SHA256 Failed    TLSv1  128 bits
> >>> DHE-DSS-AES128-SHA256 Rejected  TLSv1  128 bits
> >>> DHE-RSA-AES128-SHA Rejected  TLSv1  128 bits
> >>> DHE-DSS-AES128-SHA Rejected  TLSv1  128 bits  DHE-RSA-SEED-SHA
> >>> Rejected  TLSv1  128 bits  DHE-DSS-SEED-SHA Rejected  TLSv1
> >>> 128 bits DHE-RSA-CAMELLIA128-SHA Rejected  TLSv1  128 bits
> >>> DHE-DSS-CAMELLIA128-SHA Rejected  TLSv1  128 bits
> >>> AECDH-AES128-SHA Rejected  TLSv1  128 bits
> >>> SRP-AES-128-CBC-SHA Failed    TLSv1  128 bits
> >>> ADH-AES128-GCM-SHA256 Failed    TLSv1 128 bits
> >>> ADH-AES128-SHA256 Rejected  TLSv1  128 bits ADH-AES128-SHA
> >>> Rejected  TLSv1  128 bits  ADH-SEED-SHA Rejected TLSv1  128
> >>> bits  ADH-CAMELLIA128-SHA Failed    TLSv1  128 bits
> >>> ECDH-RSA-AES128-GCM-SHA256 Failed    TLSv1  128 bits
> >>> ECDH-ECDSA-AES128-GCM-SHA256 Failed    TLSv1  128 bits
> >>> ECDH-RSA-AES128-SHA256 Failed    TLSv1  128 bits
> >>> ECDH-ECDSA-AES128-SHA256 Rejected  TLSv1  128 bits
> >>> ECDH-RSA-AES128-SHA Rejected  TLSv1  128 bits
> >>> ECDH-ECDSA-AES128-SHA Failed    TLSv1  128 bits
> >>> AES128-GCM-SHA256 Failed    TLSv1  128 bits  AES128-SHA256
> >>> Rejected  TLSv1  128 bits AES128-SHA Rejected  TLSv1  128 bits
> >>> SEED-SHA Rejected  TLSv1  128 bits  CAMELLIA128-SHA Failed
> >>> TLSv1  128 bits PSK-AES128-CBC-SHA Rejected  TLSv1  128 bits
> >>> ECDHE-RSA-RC4-SHA Rejected  TLSv1  128 bits
> >>> ECDHE-ECDSA-RC4-SHA Rejected  TLSv1  128 bits  AECDH-RC4-SHA
> >>> Rejected  TLSv1  128 bits  ADH-RC4-MD5 Rejected TLSv1  128 bits
> >>> ECDH-RSA-RC4-SHA Rejected  TLSv1  128 bits ECDH-ECDSA-RC4-SHA
> >>> Rejected  TLSv1  128 bits  RC4-SHA Rejected TLSv1  128 bits
> >>> RC4-MD5 Failed    TLSv1  128 bits  PSK-RC4-SHA Rejected  TLSv1
> >>> 56 bits   EDH-RSA-DES-CBC-SHA Rejected  TLSv1  56 bits
> >>> EDH-DSS-DES-CBC-SHA Rejected  TLSv1  56 bits ADH-DES-CBC-SHA
> >>> Rejected  TLSv1  56 bits   DES-CBC-SHA Rejected TLSv1  40 bits
> >>> EXP-EDH-RSA-DES-CBC-SHA Rejected  TLSv1  40 bits
> >>> EXP-EDH-DSS-DES-CBC-SHA Rejected  TLSv1  40 bits
> >>> EXP-ADH-DES-CBC-SHA Rejected  TLSv1  40 bits   EXP-DES-CBC-SHA
> >>> Rejected  TLSv1  40 bits   EXP-RC2-CBC-MD5 Rejected  TLSv1  40
> >>> bits EXP-ADH-RC4-MD5 Rejected  TLSv1  40 bits   EXP-RC4-MD5
> >>> Rejected TLSv1  0 bits    ECDHE-RSA-NULL-SHA Rejected  TLSv1  0
> >>> bits ECDHE-ECDSA-NULL-SHA Rejected  TLSv1  0 bits
> >>> AECDH-NULL-SHA Rejected  TLSv1  0 bits    ECDH-RSA-NULL-SHA
> >>> Rejected  TLSv1  0 bits    ECDH-ECDSA-NULL-SHA Failed    TLSv1
> >>> 0 bits    NULL-SHA256 Rejected  TLSv1  0 bits    NULL-SHA
> >>> Rejected  TLSv1  0 bits NULL-MD5
> >>>
> >>> The cipher appears to be supported by both client (OpenSSL
> >>> s_client) and server (Also using the same version of OpenSSL)
> >>> but the handshake cannot complete.
> >>>
> >>> Let's try another cipher. How about one that worked before:
> >>> DHE-RSA-AES256-SHA
> >>>
> >>>
> >>> <Connector port="8218"
> >>> protocol="org.apache.coyote.http11.Http11AprProtocol"
> >>> SSLEnabled="true" secure="true" scheme="https"
> >>> SSLCipherSuite="DHE-RSA-AES256-SHA"
> >>> SSLCertificateKeyFile="[...]" SSLCertificateFile="[...]"
> >>> SSLCertificateChainFile="[...]" SSLProtocol="TLSv1"
> >>> executor="tomcatThreadPool" URIEncoding="UTF-8" />
> >>>
> >>> $ openssl c_client -connect myhost:8218 [...] SSL-Session:
> >>> Protocol : TLSv1 Cipher    : DHE-RSA-AES256-SHA [...]
> >>>
> >>> Works. Firefox 26 also works.
> >>>
> >>> There must be some kind of problem with configuring
> >>> ECDHE-ECDSA-AES128-SHA256 specifically. Try another cipher?
> >>
> >> Oh, I also tried this:
> >>
> >> <Connector port="8218"
> >> protocol="org.apache.coyote.http11.Http11AprProtocol"
> >> SSLEnabled="true" secure="true" scheme="https"
> >> SSLCertificateKeyFile="[...]" SSLCertificateFile="[...]"
> >> SSLCertificateChainFile="[...]" SSLProtocol="TLSv1"
> >> executor="tomcatThreadPool" URIEncoding="UTF-8" />
> >>
> >> $ openssl s_client -connect myhost:8218 -cipher
> >> ECDHE-ECDSA-AES128-SHA256 CONNECTED(00000003)
> >> 140418231797416:error:14077410:SSL
> >> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
> >> failure:s23_clnt.c:741:
> >>
> >> (Try some other cipher) $ openssl s_client -connect myhost:8218
> >> -cipher DHE-RSA-AES256-SHA
> >>
> >> [...] SSL-Session: Protocol  : TLSv1 Cipher    :
> >> DHE-RSA-AES256-SHA [...]
> >>
> >> $ sslscan myhost:8218 | grep ECDHE-ECDSA Failed    SSLv3  256
> >> bits  ECDHE-ECDSA-AES256-GCM-SHA384 Failed    SSLv3  256 bits
> >> ECDHE-ECDSA-AES256-SHA384 Rejected  SSLv3  256 bits
> >> ECDHE-ECDSA-AES256-SHA Rejected  SSLv3  168 bits
> >> ECDHE-ECDSA-DES-CBC3-SHA Failed    SSLv3  128 bits
> >> ECDHE-ECDSA-AES128-GCM-SHA256 Failed    SSLv3  128 bits
> >> ECDHE-ECDSA-AES128-SHA256 Rejected  SSLv3  128 bits
> >> ECDHE-ECDSA-AES128-SHA Rejected  SSLv3  128 bits
> >> ECDHE-ECDSA-RC4-SHA Rejected  SSLv3  0 bits
> >> ECDHE-ECDSA-NULL-SHA Failed    TLSv1  256 bits
> >> ECDHE-ECDSA-AES256-GCM-SHA384 Failed    TLSv1  256 bits
> >> ECDHE-ECDSA-AES256-SHA384 Rejected  TLSv1  256 bits
> >> ECDHE-ECDSA-AES256-SHA Rejected  TLSv1  168 bits
> >> ECDHE-ECDSA-DES-CBC3-SHA Failed    TLSv1  128 bits
> >> ECDHE-ECDSA-AES128-GCM-SHA256 Failed    TLSv1  128 bits
> >> ECDHE-ECDSA-AES128-SHA256 Rejected  TLSv1  128 bits
> >> ECDHE-ECDSA-AES128-SHA Rejected  TLSv1  128 bits
> >> ECDHE-ECDSA-RC4-SHA Rejected  TLSv1  0 bits
> >> ECDHE-ECDSA-NULL-SHA
> >>
> >> It looks like there is something wrong with the ECDHE-ECDSA
> >> suites. If anything, this is an OpenSSL problem and not a Tomcat
> >> one: Tomcat doesn't do anything with the crypto, here.
> >>
> >> - -chris
> >
> > Did you make an ECDSA cert?
> >
> > . . . . still in RFP response mode, so only 1/2 cent here
>
> ECDHE is Elliptic curve Diffie–Hellman Exchange, which is just DHE
> with elliptic curve. Note that I was able to use other (non-EC) DHE
> ciphers.
>
> AFAIK, the only choice you have when creating an SSL/TLS certificate
> is whether to create an RSA or DSA key. The problem is more likely
> that the "ECDSA" part of the algorithm won't work without a DSA key.
>
> Thanks for pointing that out.
>
> On the other hand, it appears that no ECDHE ciphers are working:
>
> $ sslscan myhost:8218 | grep ECDHE
>     Failed    SSLv3  256 bits  ECDHE-RSA-AES256-GCM-SHA384
>     Failed    SSLv3  256 bits  ECDHE-ECDSA-AES256-GCM-SHA384
>     Failed    SSLv3  256 bits  ECDHE-RSA-AES256-SHA384
>     Failed    SSLv3  256 bits  ECDHE-ECDSA-AES256-SHA384
>     Rejected  SSLv3  256 bits  ECDHE-RSA-AES256-SHA
>     Rejected  SSLv3  256 bits  ECDHE-ECDSA-AES256-SHA
>     Rejected  SSLv3  168 bits  ECDHE-RSA-DES-CBC3-SHA
>     Rejected  SSLv3  168 bits  ECDHE-ECDSA-DES-CBC3-SHA
>     Failed    SSLv3  128 bits  ECDHE-RSA-AES128-GCM-SHA256
>     Failed    SSLv3  128 bits  ECDHE-ECDSA-AES128-GCM-SHA256
>     Failed    SSLv3  128 bits  ECDHE-RSA-AES128-SHA256
>     Failed    SSLv3  128 bits  ECDHE-ECDSA-AES128-SHA256
>     Rejected  SSLv3  128 bits  ECDHE-RSA-AES128-SHA
>     Rejected  SSLv3  128 bits  ECDHE-ECDSA-AES128-SHA
>     Rejected  SSLv3  128 bits  ECDHE-RSA-RC4-SHA
>     Rejected  SSLv3  128 bits  ECDHE-ECDSA-RC4-SHA
>     Rejected  SSLv3  0 bits    ECDHE-RSA-NULL-SHA
>     Rejected  SSLv3  0 bits    ECDHE-ECDSA-NULL-SHA
>     Failed    TLSv1  256 bits  ECDHE-RSA-AES256-GCM-SHA384
>     Failed    TLSv1  256 bits  ECDHE-ECDSA-AES256-GCM-SHA384
>     Failed    TLSv1  256 bits  ECDHE-RSA-AES256-SHA384
>     Failed    TLSv1  256 bits  ECDHE-ECDSA-AES256-SHA384
>     Rejected  TLSv1  256 bits  ECDHE-RSA-AES256-SHA
>     Rejected  TLSv1  256 bits  ECDHE-ECDSA-AES256-SHA
>     Rejected  TLSv1  168 bits  ECDHE-RSA-DES-CBC3-SHA
>     Rejected  TLSv1  168 bits  ECDHE-ECDSA-DES-CBC3-SHA
>     Failed    TLSv1  128 bits  ECDHE-RSA-AES128-GCM-SHA256
>     Failed    TLSv1  128 bits  ECDHE-ECDSA-AES128-GCM-SHA256
>     Failed    TLSv1  128 bits  ECDHE-RSA-AES128-SHA256
>     Failed    TLSv1  128 bits  ECDHE-ECDSA-AES128-SHA256
>     Rejected  TLSv1  128 bits  ECDHE-RSA-AES128-SHA
>     Rejected  TLSv1  128 bits  ECDHE-ECDSA-AES128-SHA
>     Rejected  TLSv1  128 bits  ECDHE-RSA-RC4-SHA
>     Rejected  TLSv1  128 bits  ECDHE-ECDSA-RC4-SHA
>     Rejected  TLSv1  0 bits    ECDHE-RSA-NULL-SHA
>     Rejected  TLSv1  0 bits    ECDHE-ECDSA-NULL-SHA
>
> OpenSSL does have a few new tricks since the EC stuff was added, though:
>
> $ openssl --help
> [...]
> dhparam
> ecparam
> ec
> gendh
> genpkey
> pkeyparam
> [...]
>
> It looks like these algorithms probably *do* require a different
> flavor of key, and not just a standard RSA key like most folks are
> used to (and even if the algorithm contains "RSA" and not "DSA", among
> other things).
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJSyK8XAAoJEBzwKT+lPKRYcTIP/3fxN7Ctf+ROs2hbvXgmQT5P
> xE2VIFXP8wIAhiSogDmMKipx5T7zR06JzwutB/5a/0rZ2n+nMy5bVmkgA9K1ZiDH
> n4Ccfr8zpanTSt51GhXg5rLwg2LAB3KrnL2Dyb8sI0g2QEmoh0XgFTbGwcBeuin3
> 2ZAXC/y5QhKoUBk7Iv66AoQ7YTV8kJJpwIjBY4Mhbd9sZTRh7YWKtAwbXEkuveqz
> 5M3rv/H4aDS4FE6zgZ2fgUy4qAnoyr+1wjC1vWIdPe7BEe4tlDoI/tx95H7ggjvr
> Gy5FomHSoHvV2EkjzWJdiD/g5HW43AjpkpCLwLjlDnufLFgZtRbrVXMX8QxHjL2G
> V5F6cb/+ZUXGoUgyBiFsG1QkJELcKP7BLBu2ew3BBiW8ybrFPulIQet97EZ0nE4/
> aTJxx7AnjMjuHlYHGu3q2xz983SViulYtJ1iShbpYESePQfnA77aEqmP9nytD6Dg
> gqgudz7ecy1x5nGkYj8VT4/6Tkc6t8kGIQGWoQbJoEt4cQWfQVOZP+lFKtXkGwxL
> 7b0ykx6b+x/pvEHPttYTMzRbYMnQ5mInhT6266jPPQThcLOXwjn16PD9UQkslFp9
> nxbpoj5o7S86qfB/XONL+E9WgWfpWmgkLKMQ06pYeZLo0L47RERg20eSLhNYRUTu
> VRRJySduvE3hWnCj5IZp
> =Jak9
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message