tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: AW: Choosing provider to load pkcs12 keystore for ssl
Date Tue, 17 Jun 2014 15:21:05 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Steffen,

On 6/16/14, 12:01 PM, Steffen Heil (Mailinglisten) wrote:
> Okay, I must have overlooked the "keystoreProvider" attribute
> completely. Sorry for that and thanks a lot for the hint.
> 
> However that only solved the loading part of the problem. The
> certificate is still unusable.
> 
> When I try to connect, the browser reports an error. I set
> javax.net.debug=all and got the output below.
> 
> I notice, that the server and the client cannot agree on the
> ciphersuite (fatal error: 40: no cipher suites in common) but I am
> lost on what I would need to configure. I did remove all settings
> of sslProtocol, sslProtocols and ciphers, as I think my old
> defaults will not match a ECC certificate, but still it does not
> work.
> 
> Any further hint?

Try connecting with openssl s_client instead of a browser. Then you
can get more information on the client side. Are you sure your browser
supports ECC?

Also, Java (Oracle JRE v1.0.7) supports ECDH and ECDHE cipher suites
like these:

*	TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
*	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
*	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
*	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
*	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
*	TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
*	TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
*	TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
*	TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
*	TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

I'm no expert on the JRE's support for crypto algorithms and
certificates, but the above seems to indicate that ECC is in fact
supported. Am I missing something?

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJToFzgAAoJEBzwKT+lPKRYkRkQALuTcXQKrxgm+gLVNkBML8cI
A7ApPKTNP1xXu3MeqM9EDgeKScbAIi0PQzB/tNdfYMzu+/IznqtXAElND3hNBm7p
Guhy5hyApQzuCrY1jUSUT/+/rQ5E8KCnYFS6aBD9cbkI4D9HMk3BiWFpVhgPyYEt
dBEAm/Ftk+4dZzl/yns+HjnafIkHzRgxRkVxl/HGtaFnT45SGETMYRJv/Pz+p6sD
Xh19hgza43JEPzMW6Wp+zCkVMnmcciEoFjWNqQeADObSUDwc6mNsbOO6i6GLZxjH
AGr4BRvRUqP7WC06nO4zFUHtqffDBMej6PJH3lNc1rGD9PyoKtHsbfPnZ+Phcloe
DwX3XerojLt/SpRJqe4jNH0WSx2NBbdBoqm5/AImMMsInJjr+PXeLn5+x+C/9grd
dYwtJ/ytUfuybXtVHRnhnAZ6pG0KDSNG0QGvsNhmyu/s5o1GDiwC9tdm/n9ZFTI8
tUOMRwX7hAELYwBRx1/TNEB6FU7y8JXMiW1nQLKrjaA0R3RFMpq4Vrbbbuoev87f
jDi4ZULw7VudyCvlc9QOv7aSCaqEHxnkHtlFVBHmWFwrLnSiHY1qvdtIA2k4RDAn
1orA+1XdCLFOyVf78hEpUS/xhdZz2izY4wqxHjLw0aMxPhCspA/NrBwBuPWYhfMZ
c3KusK9QnZiA66xjYRVb
=8+su
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message