Return-Path: <users-return-262819-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 7DF1A200D0A
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Wed,  4 Oct 2017 21:26:21 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 7C2E11609DD; Wed,  4 Oct 2017 19:26:21 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 73B7C1609D6
	for <archive-asf-public@cust-asf.ponee.io>; Wed,  4 Oct 2017 21:26:20 +0200 (CEST)
Received: (qmail 59699 invoked by uid 500); 4 Oct 2017 19:26:18 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 59688 invoked by uid 99); 4 Oct 2017 19:26:18 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 04 Oct 2017 19:26:18 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 10F821A20DC
	for <users@tomcat.apache.org>; Wed,  4 Oct 2017 19:26:18 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 1.79
X-Spam-Level: *
X-Spam-Status: No, score=1.79 tagged_above=-999 required=6.31
	tests=[KAM_LAZY_DOMAIN_SECURITY=1, SPF_HELO_PASS=-0.001,
	UPPERCASE_50_75=0.791] autolearn=disabled
Received: from mx1-lw-eu.apache.org ([10.40.0.8])
	by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024)
	with ESMTP id WI_Pkmw8Ivos for <users@tomcat.apache.org>;
	Wed,  4 Oct 2017 19:26:13 +0000 (UTC)
Received: from mailbox.servedge.com (li1281-212.members.linode.com [45.79.182.212])
	by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 71A805FC8F
	for <users@tomcat.apache.org>; Wed,  4 Oct 2017 19:26:13 +0000 (UTC)
Received: (qmail 5655 invoked by uid 513); 4 Oct 2017 14:26:12 -0500
Received: from pool-173-66-116-184.washdc.fios.verizon.net (HELO Christophers-iMac.local) (chris@christopherschultz.net@173.66.116.184)
  by mailbox.servedge.com with ECDHE-RSA-AES128-GCM-SHA256 encrypted SMTP; 4 Oct 2017 14:26:12 -0500
Subject: Re: Problem: (GSKit) No compatible cipher suite available between SSL
 end points.
To: users@tomcat.apache.org
References: <59D406BB.40308@touchtonecorp.com>
 <723f12a7-b302-207a-e594-c3e2bd9f098d@christopherschultz.net>
 <59D51228.3050704@touchtonecorp.com>
 <ddb67266-6ce2-41a9-8fd3-04a1db71d5c8@christopherschultz.net>
 <59D5333E.7060802@touchtonecorp.com>
From: Christopher Schultz <chris@christopherschultz.net>
Message-ID: <56663fb1-e7ef-9ea5-034b-f1e1a3975bb9@christopherschultz.net>
Date: Wed, 4 Oct 2017 15:26:11 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0)
 Gecko/20100101 Thunderbird/52.3.0
MIME-Version: 1.0
In-Reply-To: <59D5333E.7060802@touchtonecorp.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
archived-at: Wed, 04 Oct 2017 19:26:21 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

James,

On 10/4/17 3:15 PM, James H. H. Lampert wrote:
> Christopher Schultz (Tomcat list guru) wrote:

/me bows

>> Looks like your server only has ECDHE-based suites available, and
>> the client supports none of those. Can you post your <Connector> 
>> configuration from conf/server.xml?
> 
> Yes, and I can also post something else.
> 
> I found the Java source for your own "SSLInfo" program (yes, I
> actually do attempt to pursue any line of research that occurs to
> me, even as I'm begging for help), compiled it, and put it onto
> both the local box where the AS/400 is able to connect to the
> Tomcat server, and on the cloud server where it isn't.
> 
> On the local box, running Tomcat 7, I get:
>> java -showversion SSLInfo java version "1.7.0_131" OpenJDK
>> Runtime Environment (IcedTea 2.6.9) (7u131-2.6.9-2~deb8u1) 
>> OpenJDK Client VM (build 24.131-b00, mixed mode, sharing)
>> 
>> Default    Cipher SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA *
>> SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA 
>> SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA *
>> SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA 
>> SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA 
>> SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 
>> SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_DES_CBC_SHA 
>> SSL_DH_anon_WITH_RC4_128_MD5 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA 
>> SSL_RSA_EXPORT_WITH_RC4_40_MD5 *
>> SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA 
>> SSL_RSA_WITH_NULL_MD5 SSL_RSA_WITH_NULL_SHA 
>> SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA *
>> TLS_DHE_DSS_WITH_AES_128_CBC_SHA *
>> TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 *
>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA *
>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 *
>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA *
>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 *
>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA *
>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 
>> TLS_DH_anon_WITH_AES_128_CBC_SHA 
>> TLS_DH_anon_WITH_AES_128_CBC_SHA256 
>> TLS_DH_anon_WITH_AES_256_CBC_SHA 
>> TLS_DH_anon_WITH_AES_256_CBC_SHA256 *
>> TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA *
>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA *
>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 *
>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA *
>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 
>> TLS_ECDHE_ECDSA_WITH_NULL_SHA TLS_ECDHE_ECDSA_WITH_RC4_128_SHA *
>> TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA *
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA *
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 *
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA *
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 
>> TLS_ECDHE_RSA_WITH_NULL_SHA TLS_ECDHE_RSA_WITH_RC4_128_SHA *
>> TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA *
>> TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA *
>> TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 *
>> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA *
>> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 
>> TLS_ECDH_ECDSA_WITH_NULL_SHA TLS_ECDH_ECDSA_WITH_RC4_128_SHA *
>> TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA *
>> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA *
>> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 *
>> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA *
>> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDH_RSA_WITH_NULL_SHA 
>> TLS_ECDH_RSA_WITH_RC4_128_SHA 
>> TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA 
>> TLS_ECDH_anon_WITH_AES_128_CBC_SHA 
>> TLS_ECDH_anon_WITH_AES_256_CBC_SHA TLS_ECDH_anon_WITH_NULL_SHA 
>> TLS_ECDH_anon_WITH_RC4_128_SHA *
>> TLS_EMPTY_RENEGOTIATION_INFO_SCSV 
>> TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 
>> TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA 
>> TLS_KRB5_EXPORT_WITH_RC4_40_MD5 TLS_KRB5_EXPORT_WITH_RC4_40_SHA 
>> TLS_KRB5_WITH_3DES_EDE_CBC_MD5 TLS_KRB5_WITH_3DES_EDE_CBC_SHA 
>> TLS_KRB5_WITH_DES_CBC_MD5 TLS_KRB5_WITH_DES_CBC_SHA 
>> TLS_KRB5_WITH_RC4_128_MD5 TLS_KRB5_WITH_RC4_128_SHA *
>> TLS_RSA_WITH_AES_128_CBC_SHA *
>> TLS_RSA_WITH_AES_128_CBC_SHA256 *
>> TLS_RSA_WITH_AES_256_CBC_SHA *
>> TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_NULL_SHA256

Right. That confirms that your Tomcat 7 server supports quite a few
cipher suites, many of which are enabled by default. On that server,
you'd have to specifically disable them in order for them not to work.
(Some of them might be SSLv3 cipher suites, and would be disabled
along with that protocol, but most cipher suites are for a "protocol X
or higher" kind of thing).

> and the relevant connector in server.xml (line breaks added,
> sensitive information redacted) is
> 
>> <Connector port="8090"
>> protocol="org.apache.coyote.http11.Http11Protocol" 
>> compression="on" compressionMinSize="2048" 
>> noCompressionUserAgents="gozilla, traviata" 
>> compressableMimeType="text/html,text/xml,text/plain,text/css,text/jav
ascript,text/json,
>>
>>
>> 
application/x-javascript,application/javascript,application/json"
>> maxThreads="150" SSLEnabled="true" scheme="https" secure="true" 
>> maxPostSize="10485760" 
>> keystoreFile="/usr/share/apache-tomcat-7.0.57/$$$$$$$$$" 
>> keyAlias="$$$$$$$$" clientAuth="false" sslProtocol="TLS" />

Okay so you are in no way interfering with the defaults. That means
you'll get (depending upon your exact versions of various things) a
Tomcat which supports TLSv1 or later, and most of the cipher suites
that are shown as "default" above.

Your choice of TLS certificate may affect some of the things that you
can do, but I see that you've got an RSA certificate from the output
from SSLLabs, so you shouldn't have any problems with a DSS
certificate or anything like that. (Use of DSS certs these days is
fairly rare).

> On the cloud box, running Tomcat 8, I get:
>> java -showversion SSLInfo java version "1.7.0_151" OpenJDK
>> Runtime Environment (IcedTea 2.6.11) (7u151-2.6.11-1~deb8u1) 
>> OpenJDK 64-Bit Server VM (build 24.151-b01, mixed mode)
>> 
>> Default    Cipher SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA *
>> SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA 
>> SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA *
>> SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA 
>> SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA 
>> SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 
>> SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_DES_CBC_SHA 
>> SSL_DH_anon_WITH_RC4_128_MD5 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA 
>> SSL_RSA_EXPORT_WITH_RC4_40_MD5 *
>> SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA 
>> SSL_RSA_WITH_NULL_MD5 SSL_RSA_WITH_NULL_SHA 
>> SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA *
>> TLS_DHE_DSS_WITH_AES_128_CBC_SHA *
>> TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 *
>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA *
>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 *
>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA *
>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 *
>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA *
>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 
>> TLS_DH_anon_WITH_AES_128_CBC_SHA 
>> TLS_DH_anon_WITH_AES_128_CBC_SHA256 
>> TLS_DH_anon_WITH_AES_256_CBC_SHA 
>> TLS_DH_anon_WITH_AES_256_CBC_SHA256 *
>> TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA *
>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA *
>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 *
>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA *
>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 
>> TLS_ECDHE_ECDSA_WITH_NULL_SHA TLS_ECDHE_ECDSA_WITH_RC4_128_SHA *
>> TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA *
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA *
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 *
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA *
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 
>> TLS_ECDHE_RSA_WITH_NULL_SHA TLS_ECDHE_RSA_WITH_RC4_128_SHA *
>> TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA *
>> TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA *
>> TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 *
>> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA *
>> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 
>> TLS_ECDH_ECDSA_WITH_NULL_SHA TLS_ECDH_ECDSA_WITH_RC4_128_SHA *
>> TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA *
>> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA *
>> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 *
>> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA *
>> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDH_RSA_WITH_NULL_SHA 
>> TLS_ECDH_RSA_WITH_RC4_128_SHA 
>> TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA 
>> TLS_ECDH_anon_WITH_AES_128_CBC_SHA 
>> TLS_ECDH_anon_WITH_AES_256_CBC_SHA TLS_ECDH_anon_WITH_NULL_SHA 
>> TLS_ECDH_anon_WITH_RC4_128_SHA *
>> TLS_EMPTY_RENEGOTIATION_INFO_SCSV 
>> TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 
>> TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA 
>> TLS_KRB5_EXPORT_WITH_RC4_40_MD5 TLS_KRB5_EXPORT_WITH_RC4_40_SHA 
>> TLS_KRB5_WITH_3DES_EDE_CBC_MD5 TLS_KRB5_WITH_3DES_EDE_CBC_SHA 
>> TLS_KRB5_WITH_DES_CBC_MD5 TLS_KRB5_WITH_DES_CBC_SHA 
>> TLS_KRB5_WITH_RC4_128_MD5 TLS_KRB5_WITH_RC4_128_SHA *
>> TLS_RSA_WITH_AES_128_CBC_SHA *
>> TLS_RSA_WITH_AES_128_CBC_SHA256 *
>> TLS_RSA_WITH_AES_256_CBC_SHA *
>> TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_NULL_SHA256

No surprise here, since the OpenJDK version is only a patch-level off
from the previous. I didn't look at every cipher suite, but it looks
like the same list.

> and the connector here is, with the exception of port number and 
> keystore information, the same.

Strange. I would have expected Tomcat to enable more cipher suites
with a default configuration given the SSLInfo output above.

Are you sure you are using the same Java version with Tomcat as you
did to run those commands above?

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlnVNdMdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiA4hAApxtgwcB2Kd06fPZf
21CJbNj97kywm0cwYVqh0lq/LNvT0iJtv1PsSw6wvG1g8yMw2B9fkrE6VHnkmKpz
mRPbYQ7ukF6TRZFgZyfP/ntgTTKrJr4mGRwsxGLB6Guu0ME7TqQb8i/Y6xCZxdIQ
xA38BYfaRCWzD5XC+EC6FNZKSS/OWItRNUshN8yLiN0pghfMogCB0HQcMztIN7P1
bVt5f0PWFoYZO9/UxCClmmrWl/dGa4ORmkGmBjNWRLf14ej0uNLpSJy9ElH85ov4
askXvqB84v4uxAu8weGlOK9zK/HEqxjMrDfSSM3Un7yRKBiPIUXkTg/IE1JVMQDn
pKwlvqtMXuwggkTMyu3ixBfAV2fdb1dNNBx0ejmvjF50xfCiZfSlkw/Cp9JXFbKb
7PqrUc5sM3WLqG344TfGwWGhtQ41DNZggsn9iDwwBpcHGCRtIdftI7kUk+xPnKV1
sNEFlMb02DxaDscfcNFt6HqEy7tYXE8XXRMYRnHpP5EGNx8OPRCt+3FHW77EG4Hp
McHAqH88DyqVCzFy9eUYuJ8wYfU5N4v+t2msrqpixTbSzy7cccYC9cQWUqLQuKYS
1VAwUvfqX/sZg6jGVqVxAqi3jBMviLs8cw5MxlCtgBCZO5/7gvKo42wZ78fyojOw
xNUjYRY3XRS+Cb1RTJEOQ6K9ots=
=Zs7F
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org