Return-Path: 
 <users-return-245455-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
X-Original-To: apmail-tomcat-users-archive@www.apache.org
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 44C6710558
	for <apmail-tomcat-users-archive@www.apache.org>;
 Thu,  2 Jan 2014 21:28:59 +0000 (UTC)
Received: (qmail 64582 invoked by uid 500); 2 Jan 2014 21:28:56 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 64528 invoked by uid 500); 2 Jan 2014 21:28:55 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 64519 invoked by uid 99); 2 Jan 2014 21:28:55 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 Jan 2014 21:28:55 +0000
X-ASF-Spam-Status: No, hits=-0.7 required=5.0
	tests=RCVD_IN_DNSWL_LOW,SPF_PASS,UNPARSEABLE_RELAY
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of Chuck.Caldarale@unisys.com
 designates 216.82.254.107 as permitted sender)
Received: from [216.82.254.107] (HELO mail1.bemta7.messagelabs.com)
 (216.82.254.107)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 Jan 2014 21:28:48 +0000
Received: from [216.82.254.195:16986] by server-11.bemta-7.messagelabs.com id
 42/5B-04480-AF9D5C25; Thu, 02 Jan 2014 21:28:26 +0000
X-Env-Sender: Chuck.Caldarale@unisys.com
X-Msg-Ref: server-11.tower-200.messagelabs.com!1388698102!18396422!19
X-Originating-IP: [192.61.61.104]
X-StarScan-Received: 
X-StarScan-Version: 6.9.16; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 15180 invoked from network); 2 Jan 2014 21:28:25 -0000
Received: from unknown (HELO USEA-NAEDGE1.unisys.com) (192.61.61.104)
  by server-11.tower-200.messagelabs.com with RC4-SHA encrypted SMTP;
 2 Jan 2014 21:28:25 -0000
Received: from usea-nahubcas1.na.uis.unisys.com (129.224.76.114) by
 USEA-NAEDGE1.unisys.com (192.61.61.104) with Microsoft SMTP Server (TLS) id
 8.3.327.1; Thu, 2 Jan 2014 15:28:05 -0600
Received: from USEA-EXCH8.na.uis.unisys.com ([129.224.76.41]) by
 usea-nahubcas1.na.uis.unisys.com ([129.224.76.114]) with mapi; Thu, 2 Jan
 2014 15:28:05 -0600
From: "Caldarale, Charles R" <Chuck.Caldarale@unisys.com>
To: Tomcat Users List <users@tomcat.apache.org>
Date: Thu, 2 Jan 2014 15:28:04 -0600
Subject: RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47
Thread-Topic: TLS is not working in 6.0.37, 7.0.42, 7.0.47
Thread-Index: Ac8H+Qnq3HHuXXlHTeaI2MB7AaYsxwABFr0Q
Message-ID: 
 <99C8B2929B39C24493377AC7A121E21FC5D12C625F@USEA-EXCH8.na.uis.unisys.com>
References: 
 <CAKzOCRF4OOS=-fLk0s7J7m95vKpONgp-B8g10jBjeHWq=gni4g@mail.gmail.com>
In-Reply-To: 
 <CAKzOCRF4OOS=-fLk0s7J7m95vKpONgp-B8g10jBjeHWq=gni4g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Virus-Checked: Checked by ClamAV on apache.org

> From: Mudassir Aftab [mailto:withmudassir@gmail.com]=20
> Subject: TLS is not working in 6.0.37, 7.0.42, 7.0.47

> I need TLSv1.2 support for tomcat

That's available by default with current OpenSSL versions.

> Also what will be the preferable connector settings ?

Whatever you need them to be.  The values depend entirely on your applicati=
ons and environment.

> I am using following connector in Apache Tomcat/7.0.42
> <Connector port=3D"8443"
 . . .
>            sslEnabledProtocols=3D"TLSv1.2"

The above attribute is for the BIO and NIO connectors, not the APR one you =
are using.  You should instead specify:
           SSLProtocol=3D"TLSv1"
if you want to eliminate SSLv3 (but your client might not like that).  You =
can also set SSLCipherSuite to avoid enabling insecure encryption mechanism=
s (see http://en.wikipedia.org/wiki/Transport_Layer_Security#Cipher).

> An error occurred during a connection to confidential.com:8443. Cannot
> communicate securely with peer: no common encryption algorithm(s).

This means the client you're using and your build of OpenSSL have nothing i=
n common.  Use Wireshark or tcpdump and determine just which protocols your=
 client is attempting to negotiate with, and insure that those are enabled =
in your build of OpenSSL.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MA=
TERIAL and is thus for use only by the intended recipient. If you received =
this in error, please contact the sender and delete the e-mail and its atta=
chments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org