tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Problem: (GSKit) No compatible cipher suite available between SSL end points.
Date Wed, 04 Oct 2017 18:01:21 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

James,

On 10/4/17 12:54 PM, James H. H. Lampert wrote:
> I wrote:
>>> I mean, I know that I need to get HTTPAPI and Tomcat speaking
>>> the same language, but where do I begin?
> Here's what I got back when I ran the SSLLabs server test on the
> cloud server:
> 
>> Protocols TLS 1.3     No TLS 1.2     Yes TLS 1.1     Yes TLS 1.0
>> Yes SSL 3     No SSL 2     No
> 
>> Cipher Suites # TLS 1.2 (server has no preference) 
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp521r1
>> (eq. 15360 bits RSA)   FS     128 
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH secp521r1
>> (eq. 15360 bits RSA)   FS     128 
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp521r1
>> (eq. 15360 bits RSA)   FS     256 
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH secp521r1
>> (eq. 15360 bits RSA)   FS     256 # TLS 1.1 (server has no
>> preference) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH
>> secp521r1 (eq. 15360 bits RSA)   FS     128 
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp521r1
>> (eq. 15360 bits RSA)   FS     256 # TLS 1.0 (server has no
>> preference) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH
>> secp521r1 (eq. 15360 bits RSA)   FS     128 
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp521r1
>> (eq. 15360 bits RSA)   FS     256
> 
> On the HTTPAPI/FTPAPI list, I was told that HTTPAPI uses the
> operating system's SSL support (which was how I thought it worked),
> and directed to look through the system values to see what it
> supports. What I found was:
> 
> QSSLPCL     *SEC     Secure sockets layer protocols
>> *OPSYS
> (which I'm pretty sure means that all OS-supported protocols are 
> available; they can also be individually specified as any or all
> of *TLSV1, *SSLV3, and *SSLV2)
> 
> QSSLCSL     *SEC     Secure sockets layer cipher specification
> list
>> *RSA_AES_128_CBC_SHA *RSA_RC4_128_SHA *RSA_RC4_128_MD5 
>> *RSA_AES_256_CBC_SHA *RSA_3DES_EDE_CBC_SHA *RSA_DES_CBC_SHA 
>> *RSA_EXPORT_RC4_40_MD5 *RSA_EXPORT_RC2_CBC_40_MD5 *RSA_NULL_SHA 
>> *RSA_NULL_MD5
> 
> and unfortunately, IBM doesn't backport new cipher suites to older
> OS releases.

Looks like your server only has ECDHE-based suites available, and the
client supports none of those. Can you post your <Connector>
configuration from conf/server.xml?

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlnVIfEdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFjzgRAAjCWH+md+/fyVZn83
E6TiieaqXHOkD2CSWkgXk0nmG1+Vj2Llf6S/IYblNGeKZw+QY0tSTYVu57z5qE+Q
Hu2bf8o45xJ2QE+GZXbjkknCd+dz1TAyEAwHLAGsgbdhOUSCaeaLCNkk48kN7yoT
H0Y+KKuihHPrDsGJyErM8JUcN591UfBCFQOu44ACU0YaiSmhu6WzEDoDVKY5KitK
kdijejhT55gOkLHUDkwLLgimAEdcRpSSy4NlCitJ2GuXEglBW7mYxnz9aMTC/Pye
JYA9VQvbkPXJQZmX+509H8cXei0AVCtv3hSRW3BsQHsopzGiqy7dGznWq206omd5
5KckRzS5e7dIxyIM3Rt4zg27BDMeA4QEPvO+ADYb7OenYIVAKHi8EvqDgRwAzVYt
t+d79NZVmNl3ISc8Quau+Pjklx9ihgqQXANDQDQoaK0BK/+IGwGHANIbkDxo6WK0
o6cK1iodG0+/eKE8X9cwCIW/xt1pKuXZlKbjE3ZbUHpDWJb2vVYjBowMJ/S7foGm
OlCXeRky99JCckxztxz19glAviokzrL70DwvOSBkyMFZP6ml08byD7S6hxOi8Gk8
iw9EtCnF98fvWbFRzAp43ngBpWNDlNYTwBAqk759wPM7LHiiLejJ1jWM9iOOkw+O
2A1YRhrorJdUMXFRshZbsi9se8U=
=JfBi
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message