tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mudassir Aftab <withmudas...@gmail.com>
Subject Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
Date Sat, 04 Jan 2014 13:19:36 GMT
Here is my test with latest openssl and tomcat

Tools:
openssl:  1.0.1e
apache-tomcat-7.0.47
apr-1.5.0.
tomcat-native-1.1.29

Connector:

<Connector port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
           maxThreads="200"
           clientAuth="false"
           SSLCipherSuite="ECDHE-ECDSA-AES128-SHA256"
           scheme="https" secure="true" SSLEnabled="true"
           SSLCertificateFile="/opt/misc/certs/ca.pem"
           SSLCertificateKeyFile="/opt/misc/certs/k.key" />

Tomcat Logs:
Jan 04, 2014 1:10:15 PM org.apache.catalina.core.AprLifecycleListener init
INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR
version 1.5.0.
Jan 04, 2014 1:10:15 PM org.apache.catalina.core.AprLifecycleListener init
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
[false], random [true].
Jan 04, 2014 1:10:16 PM org.apache.catalina.core.AprLifecycleListener
initializeSSL
INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013)
Jan 04, 2014 1:10:16 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-apr-8443"]
Jan 04, 2014 1:10:17 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-apr-8080"]
Jan 04, 2014 1:10:17 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["ajp-apr-8009"]
Jan 04, 2014 1:10:17 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 3580 ms
Jan 04, 2014 1:10:17 PM org.apache.catalina.core.StandardService
startInternal
INFO: Starting service Catalina
Jan 04, 2014 1:10:17 PM org.apache.catalina.core.StandardEngine
startInternal
INFO: Starting Servlet Engine: Apache Tomcat/7.0.47
Jan 04, 2014 1:10:17 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/host-manager
Jan 04, 2014 1:10:20 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/docs
Jan 04, 2014 1:10:20 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/manager
Jan 04, 2014 1:10:20 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/ROOT
Jan 04, 2014 1:10:20 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/examples
Jan 04, 2014 1:10:22 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-apr-8443"]
Jan 04, 2014 1:10:22 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-apr-8080"]
Jan 04, 2014 1:10:22 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["ajp-apr-8009"]
Jan 04, 2014 1:10:22 PM org.apache.catalina.startup.Catalina start


Verification Tests:
root@ubuntu:/home/m# openssl s_client -connect 10.10.10.196:8443 -tls1
-cipher ECDHE-ECDSA-AES128-SHA256
CONNECTED(00000003)
3074226440:error:140830B5:SSL routines:SSL3_CLIENT_HELLO:no ciphers
available:s3_clnt.c:754:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1388841094
    Timeout   : 7200 (sec)
    Verify return code: 0 (y)
---
root@ubuntu:/home/m# openssl s_client -connect 10.10.10.196:8443 -cipher
ECDHE-ECDSA-AES128-SHA256
CONNECTED(00000003)
3073734920:error:140740B5:SSL routines:SSL23_CLIENT_HELLO:no ciphers
available:s23_clnt.c:486:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---



On Sat, Jan 4, 2014 at 4:48 AM, Mark Eggers <its_toasted@yahoo.com> wrote:

> On 1/3/2014 2:43 PM, Caldarale, Charles R wrote:
>
>> From: Mudassir Aftab [mailto:withmudassir@gmail.com] Subject: RE:
>>> TLS is not working in 6.0.37, 7.0.42, 7.0.47
>>>
>>
>>  Again, we have to submit this as a bug.....TLS 1.2 is not working
>>> in Tomcat
>>>
>>
>> The only evidence you have provided is that your single chosen cipher
>> is not implemented by the version of Firefox you're using - which has
>> nothing to do with Tomcat.  The TCP capture you provided is just text
>> rather than a useful .pcap file, and no one's going to waste their
>> time digging through raw bits when any decent protocol analyzer would
>> do the job automatically.
>>
>> - Chuck
>>
>>
>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE
>> PROPRIETARY MATERIAL and is thus for use only by the intended
>> recipient. If you received this in error, please contact the sender
>> and delete the e-mail and its attachments from all computers.
>>
>
> It's been years (more than I care to count) since I've read raw packet
> data, but at first glance I do not see the browser (172.16.50.10)
> initiating a TLSv1.2 Client Hello.
>
> I'm looking at the following line:
>
> 0030  c0 0a c0 14 00 88 00 87 00 39 00 38 c0 0f c0 05   .........9.8....
>
> I expect to see something like:
>
> 16 03 01
>
> starting at octet 36. Instead, I see:
>
> 00 87 00
>
> I don't know if that's because the information is encrypted, or what.
> However, it doesn't look like what I see when I aim Firefox 26.0 at an
> HTTPS site.
>
> I don't know if gnome-wireshark is available for Ubuntu (I use Fedora or
> CentOS). If so, get that and look for the TLSv1.2 Client Hello coming from
> your browser. If it's not coming from your browser, then something else is
> wrong.
>
> Are you addressing example.com with https://example.com:8443/ in your
> browser?
>
> As has been pointed out, this is an all-volunteer list (taking a break
> from writing an RFP here). Making it difficult to answer questions
> (incorrect, incomplete, or difficult to parse information) will not
> encourage volunteers to step forth.
>
> . . . . Friday night RFP response writing
> /mde/
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message