tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Help with Apache Tomcat/7.0.53 SSL issue
Date Wed, 22 Oct 2014 13:41:12 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Edward,

On 10/7/14 2:35 PM, Brewer, Edward L wrote:
> Oh... Here is the entry in our server.xml (probably the most 
> important part)
> 
> <Connector port="<Omitted>" address="<Omitted>"
> protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150"
> scheme="https" secure="true" clientAuth="false" 
> ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA"
>
> 
keyAlias="<omitted>"
> keystoreFile="/app001/shibboleth/idp/epass/current/credentials/idp.jks"
>
> 
keystorePass="<omitted>" />

So you are using JSSE and haven't specified an sslProtocol, so you are
getting the default which is TLS (which, for Java, really means SSLv3,
TLSv1, TLSv1.1, and TLSv1.2).

You are specifying a very small number of cipher suites (only 3) so
perhaps that's the problem. Note that all your cipher suites start
with SSL_* and none with TLS_*. That's not in itself a problem, but
you are restricting your server to using old cipher suites and not
allowing new ones. You can find code in the archives to pull the list
of supported and enabled-by-default cipher suites for your JVM.

What happens if you lift the restriction on the ciphers list so that
JSSE will use its default set?

> Here is the error that I see from curl
> 
> curl: (52) SSL read: error:00000000:lib(0):func(0):reason(0), errno
> 104

Try using "openssl s_client" -- it gives much more information about
the connection.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUR7P4AAoJEBzwKT+lPKRY1SEP/1A+8i4Td8xD0xOcUe+P8oBK
wA6yjoo76MUqj4Nei0ZghXmzsrIUss/RsuazmLTJFTnJcEg3GThmjh1uKlHloUBR
2dFg6FhUDn4v+7P2sQiDuwtEd9oDx6aFA5j/DxSFCclnR7jq66vU0lxTjFdgd3jw
/G0dlF+iBnvBVEM2hojZAbv30qoIsxPAHXdsf7T13vcUQ/bVywmbqUPtoSR8hWzh
Mg+B+y7MEYJSUzeZf4JOqHuCe3nLHxOV7XNF7Mw5sZZ8DOvoay+tNU8mmeXmnHY0
zJe/4TICGz6BPYKaZNELwv8PiLZZ76mnu+c9I3Bcv3ZBC6D8p+yISA01apYOujgv
0Mfo9ilm/3E9dORHCX4497FyKLq6KjX3dPnlLD2G0YC7qRU6o1iA8pjFkbt38UgU
CeE8AMxu4sgQAyQVXkVlfs9T72JJmUdd3y+Jm5/WUreZoiTjS0gCEhwue9rUDOSo
B6wf7V971IlKQbbxMhpiqbf/2TsoS15REPviepsqCHXWVHxoOT/5etTN9V8vP2G6
fxeI4GaBIulGld+tNeVnR1Izi8sHz1GPYbGfD2zhwC1Br18MxiBdEtYQQI++LcTh
S2JdWtWmJBzgk/uHPB9Lm8oBwYplQYIHUPrF9XO3WJVBuThdeCDf9l5xfefSJktM
7aOx60/EkV878XIK/8Pm
=YDwk
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message