tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sanaullah <sanaulla...@gmail.com>
Subject Re: FIPS compliancy on Tomcat 7.00.062
Date Wed, 05 Aug 2015 14:03:06 GMT
if you remove the entire ciphers attribute from the server.xml then by
default ssl/TLS session pick the best available cipher from the ssl/tls
handshake version.





On Wed, Aug 5, 2015 at 4:10 PM, Nikitha Benny <nikki.benny@gmail.com> wrote:

> Hi Sanaullah,
>
> That is because we have removed the entire "ciphers" attribute from the
> server.xml file.
> But that should be fine as the non complaint FIPS also has the "cipher"
> attribute removed and it shows the similar client to server conection and
> runs fine.
>
> Regards,
> Nikitha
>
> On Wed, Aug 5, 2015 at 4:28 PM, Sanaullah <sanaullah82@gmail.com> wrote:
>
> > run this command with debugging prints.
> >
> > openssl s_client -connect 16.183.93.84:8444 -debug -msg
> >
> > > Protocol  : *TLSv1.2*
> > > Cipher    : 0000
> > it seems something broken as there is no Cipher
> >
> > Regards,
> > Sanaullah
> >
> >
> >
> > On Wed, Aug 5, 2015 at 3:52 PM, Nikitha Benny <nikki.benny@gmail.com>
> > wrote:
> >
> > > Hi Mark, Sanaullah,
> > >
> > > Thank you for your valuable suggestion.
> > >
> > > I just ran the openssl s_client scan, and it looks like the server side
> > is
> > > running fine on *TLSv1.2* Protocol.
> > >
> > > [root]## *openssl s_client -connect 16.183.93.84:8444
> > > <http://16.183.93.84:8444>*
> > > CONNECTED(00000003)
> > > - - -  - -  - -
> > > - - -  - -  - -
> > > - - -  - -  - -
> > > - - -  - -  - -
> > >
> > > 9ICKPG6kxtrZMUUnb/RgYH0FEqAWxvAbj08ZtJXHoGyRAmFcLKUtQBw8wifqXjYP
> > > dok1aLR6ZwG+iD+urs1SLFyUmENSywwZtrKpgorQR+LRtC77E3gyNSmJP+i02SpC
> > > Dwt/kR6w4FmSD+k3+RJik2+SabfTbE1F2Iho/XLFyU0SwKEhi54pdYohuuEfFwnU
> > > d/A4
> > > -----END CERTIFICATE-----
> > > subject=/C=US/ST=California/L=Palo
> Alto/O=Hewlett-Packard/OU=OpenView/CN=
> > > IWFVM01284.hpswlabs.adapps.hp.com
> > > issuer=/C=US/ST=California/L=Palo
> Alto/O=Hewlett-Packard/OU=OpenView/CN=
> > > IWFVM01284.hpswlabs.adapps.hp.com
> > > ---
> > > No client certificate CA names sent
> > > ---
> > > SSL handshake has read 1476 bytes and written 7 bytes
> > > ---
> > > New, (NONE), Cipher is (NONE)
> > > Server public key is 2048 bit
> > > Secure Renegotiation IS supported
> > > Compression: NONE
> > > Expansion: NONE
> > > SSL-Session:
> > >     Protocol  : *TLSv1.2*
> > >     Cipher    : 0000
> > >     Session-ID:
> > > 55C1E8659A3AEABEA2844E153BB8BF666936B6EC38C5777B60202AF0712E5377
> > >     Session-ID-ctx:
> > >     Master-Key:
> > >     Key-Arg   : None
> > >     Krb5 Principal: None
> > >     PSK identity: None
> > >     PSK identity hint: None
> > >     Start Time: 1438771286
> > >     Timeout   : 300 (sec)
> > >     Verify return code: 18 (self signed certificate)
> > >
> > > So could it be an issue with the browser?
> > > Since the browser is not FIPS compliant, could it be the reason for the
> > > issue?
> > >
> > >
> > > Regards,
> > > Nikitha
> > >
> > > On Wed, Aug 5, 2015 at 3:24 PM, Sanaullah <sanaullah82@gmail.com>
> wrote:
> > >
> > > > Hi Nikhita,
> > > >
> > > > run the sslscan tool from the command line or openssl s_client in
> debug
> > > > mode
> > > > https://github.com/rbsec/sslscan
> > > >
> > > > Regards,
> > > > Sanaullah
> > > >
> > > > On Wed, Aug 5, 2015 at 2:23 PM, Nikitha Benny <nikki.benny@gmail.com
> >
> > > > wrote:
> > > >
> > > > > Hi Mark,
> > > > >
> > > > > My server is not on a public domain.
> > > > > How can i verify the setup which is on a private network?
> > > > >
> > > > > Regards,
> > > > > Nikitha
> > > > >
> > > > > On Wed, Aug 5, 2015 at 2:14 PM, Mark Thomas <markt@apache.org>
> > wrote:
> > > > >
> > > > > > On 05/08/2015 07:32, Nikitha Benny wrote:
> > > > > > > Hi Mark,
> > > > > > >
> > > > > > > When I try to run Tomcat on the https server port:
> > > > > > >
> > > > > > > *https://<ip address>:8444/*
> > > > > > >
> > > > > > > It says as below:
> > > > > > > ----------
> > > > > > >
> > > > > > > *SSL connection error*
> > > > > > >
> > > > > > > *ERR_SSL_PROTOCOL_ERROR*
> > > > > > >
> > > > > > > *Unable to make a secure connection to the server. This
may be
> a
> > > > > problem
> > > > > > > with the server, or it may be requiring a client authentication
> > > > > > certificate
> > > > > > > that you don't have*
> > > > > > > *------------*
> > > > > >
> > > > > > That is the client side. What about server side logs?
> > > > > >
> > > > > > > We have set the client authentication to False, so it does
not
> > need
> > > > any
> > > > > > > client authorized certificate.
> > > > > >
> > > > > > I recommend you run https://www.ssllabs.com/ssltest/ against
> your
> > > > > > server. That will tell you if you have a server side issue,
a
> > client
> > > > > > side issue or simply a mismatch between the two.
> > > > > >
> > > > > > Mark
> > > > > >
> > > > > > >
> > > > > > > Regards,
> > > > > > > Nikitha
> > > > > > >
> > > > > > > On Wed, Aug 5, 2015 at 10:07 AM, Nikitha Benny <
> > > > nikki.benny@gmail.com>
> > > > > > > wrote:
> > > > > > >
> > > > > > >>> But still Tomcat does not run on the https port.
> > > > > > >>
> > > > > > >> As in, when we run Tomcat on the https server port
it does not
> > > > display
> > > > > > the
> > > > > > >> page.
> > > > > > >> Where as it goes through fine on the http port. The
url opens.
> > > > > > >>
> > > > > > >>
> > > > > > >>
> > > > > > >> On Tue, Aug 4, 2015 at 6:18 PM, Mark Thomas <markt@apache.org
> >
> > > > wrote:
> > > > > > >>
> > > > > > >>> On 04/08/2015 13:19, Nikitha Benny wrote:
> > > > > > >>>> Hello Mark,
> > > > > > >>>>
> > > > > > >>>> Thanks for your valuable suggestion.
> > > > > > >>>>
> > > > > > >>>> We were successful in creating the pkcs12 keystore
which
> picks
> > > up
> > > > > > >>> SHA256 as
> > > > > > >>>> shown below:
> > > > > > >>>
> > > > > > >>> <snip/>
> > > > > > >>>
> > > > > > >>>> But still Tomcat does not run on the https
port.
> > > > > > >>>
> > > > > > >>> Define "does not run".
> > > > > > >>>
> > > > > > >>>> Any clue as to why this happens?
> > > > > > >>>
> > > > > > >>> Based on the information provided so far, no.
> > > > > > >>>
> > > > > > >>>> The protocol I am using is*
> > > > > > "org.apache.coyote.http11.Http11Protocol".*
> > > > > > >>>
> > > > > > >>> OK. That is the HTTP BIO connector.
> > > > > > >>>
> > > > > > >>>> Could it be because I am not using an APR connector
> protocol?
> > > > > > >>>
> > > > > > >>> No.
> > > > > > >>>
> > > > > > >>> Mark
> > > > > > >>>
> > > > > > >>>
> > > > > > >>>
> > > > ---------------------------------------------------------------------
> > > > > > >>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > > > > > >>> For additional commands, e-mail:
> users-help@tomcat.apache.org
> > > > > > >>>
> > > > > > >>>
> > > > > > >>
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > ---------------------------------------------------------------------
> > > > > > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > > > > > For additional commands, e-mail: users-help@tomcat.apache.org
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message