tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: TLS/SSL Elliptic Curve support problem with Tomcat 7.0.72
Date Wed, 09 Nov 2016 21:11:56 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Daniel,

You don't seem to have received a response about this...

On 10/11/16 2:13 PM, Daniel Savard wrote:
> I have a problem which evades me for a too long time. I am just
> unable to find out what is wrong. I have a Tomcat 7.0.72 (version
> doesn't matter the problem exists with 7.0.68 and 7.0.70 as well)
> with Oracle JDK 1.8.0_102 (the version doesn't matter much neither
> since the problem manifests with 1.8.0_92, 1.8.0_77 as well).
> 
> My Tomcat is unable to complete its TLSv1.2 handshaking protocol. I
> am getting this in my log when enabling SSL debug:
> 
> [snip]
> 
> The key message seems to be: Extension elliptic_curves, curve
> names: {unknown curve 29,
> java.security.spec.ECParameterSpec@2b839e7c, 
> java.security.spec.ECParameterSpec@55e0b1ed}

That seems okay to me: Java understands 2 of the 3 curves supported by
the client. Curve 0x19 is secp521r1 which is not mentioned by the NSA
Suite B publication, so it's often not implemented.

> I should get something with a list of recognized curves.

It looks like 2 of them are recognized.

> Later, when the server will complete the handshaking with a fatal
> error, it will obviously fail agreeing on the curve and share
> parameters. Like this:
> 
> -------------------------
> 
> ****** ECDH ServerKeyExchangeSignature Algorithm
> SHA512withRSAServer key: com.rsa.cryptoj.o.fn@a9c1e230***
> ServerHelloDone
> 
> --------------------------

It "will", or it /does/?

> Where I should get the name of the curve and the parameters for the
> shared secret.

If the runtime doesn't implement the curve, you can't use it. The
question is why the client and the server won't use the two curves
they *do* agree on.

Which client is this? Many clients (e.g. Google Chrome, MSIE/Edge)
don't support curve #19. I use Mozilla Firefox, which currently does
support curve #19. Does your TLS site work with Firefox? Apple Safari
also supports curve #19.

> Since I have some other instances on the same server running just
> fine. I wonder what I should look for. What can lead to this
> failure?
> 
> Yes, I have the Unlimited JCE Policy installed and working for
> other instances of Tomcat 8. Both Tomcat 8 and Tomcat 7 on this
> server share the very same JDK.

The JCE security policy probably isn't affecting this.

> In the Firefox browser, the message is as follow: Unsupported
> elliptic curve. Error code: SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE 
> Which is the most descriptive message among the three following
> browsers: IE 11, Chrome and Firefox. IE11 and Chrome are
> complaining about TLS protocol error without saying anything about
> the cause of the error.

Can you post your <Connector> configuration?

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYI5EcAAoJEBzwKT+lPKRYeOoP/2BrT/w7LUqtWArAvM+ZiTv1
DCc/aLV2vmpS4v4LZo3oKPw3Ar4C0jeqH4XT9/fkW7Xe5zUsf1saguUL9jtfit1K
p2Rwu9kgLBkeXq4zRIcFmE0CL1pS2aG8qXRY6Uzoz9ij1Pd2biXcsNecirC/ISTI
oJUSiHkbT9SZ6dePsgsfbrARP2Z+C4TiIZe+Aum9J/StQK/go3RogX1vbRCtVwRb
KV0E8CDz405to9+QCgzI+27pBZfm4YX9oukK4oiz6P4fi/JsYKarDl2twIXIGgSc
FETU/FE3W8qBNNU4o9yse7obNHq8UoDqOI3IEie9+We5fst2aNzSk0+jFmvXXaK9
1h38ca690qoAGp/ZNkB0scxq4v89XQHUc/I+Rq65UDEPZ9WZZqwBeyCLf/j9TyRs
MK9oISk58Yr8owLpIqv5lEzSr3nVCfAlegdOtawRd2jY3PvilJ7DhHzpvjqBYvwF
WBHuzB6N2ZdkP6aBHHzHCv20ihl7KfLWSpvOl5XJ32wNF1zT7bbaCDEi9Bhk7SQ4
Mu12gAWbwvFQ+dHE7OPAHKfRgHDLsHJLDhkDGqRKbmbDKsNvBajTQTsDZWN7gvVy
RnEX6kiibVVAI1ZtAJtpe9iizWicZNxCU9Dkp90FWLfDxgOV1EDEar5ugkr/61v1
R+dRyrm1xgENrzkF+1KK
=fuYO
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message