tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James H. H. Lampert" <jam...@touchtonecorp.com>
Subject Re: Problem: (GSKit) No compatible cipher suite available between SSL end points.
Date Wed, 04 Oct 2017 19:15:10 GMT
Christopher Schultz (Tomcat list guru) wrote:

> Looks like your server only has ECDHE-based suites available, and the
> client supports none of those. Can you post your <Connector>
> configuration from conf/server.xml?

Yes, and I can also post something else.

I found the Java source for your own "SSLInfo" program (yes, I actually 
do attempt to pursue any line of research that occurs to me, even as I'm 
begging for help), compiled it, and put it onto both the local box where 
the AS/400 is able to connect to the Tomcat server, and on the cloud 
server where it isn't.

On the local box, running Tomcat 7, I get:
> java -showversion SSLInfo
> java version "1.7.0_131"
> OpenJDK Runtime Environment (IcedTea 2.6.9) (7u131-2.6.9-2~deb8u1)
> OpenJDK Client VM (build 24.131-b00, mixed mode, sharing)
>
> Default	Cipher
>  	SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
> *	SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
>  	SSL_DHE_DSS_WITH_DES_CBC_SHA
>  	SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
> *	SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>  	SSL_DHE_RSA_WITH_DES_CBC_SHA
>  	SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
>  	SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
>  	SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
>  	SSL_DH_anon_WITH_DES_CBC_SHA
>  	SSL_DH_anon_WITH_RC4_128_MD5
>  	SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
>  	SSL_RSA_EXPORT_WITH_RC4_40_MD5
> *	SSL_RSA_WITH_3DES_EDE_CBC_SHA
>  	SSL_RSA_WITH_DES_CBC_SHA
>  	SSL_RSA_WITH_NULL_MD5
>  	SSL_RSA_WITH_NULL_SHA
>  	SSL_RSA_WITH_RC4_128_MD5
>  	SSL_RSA_WITH_RC4_128_SHA
> *	TLS_DHE_DSS_WITH_AES_128_CBC_SHA
> *	TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
> *	TLS_DHE_DSS_WITH_AES_256_CBC_SHA
> *	TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
> *	TLS_DHE_RSA_WITH_AES_128_CBC_SHA
> *	TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
> *	TLS_DHE_RSA_WITH_AES_256_CBC_SHA
> *	TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
>  	TLS_DH_anon_WITH_AES_128_CBC_SHA
>  	TLS_DH_anon_WITH_AES_128_CBC_SHA256
>  	TLS_DH_anon_WITH_AES_256_CBC_SHA
>  	TLS_DH_anon_WITH_AES_256_CBC_SHA256
> *	TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
> *	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
> *	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
> *	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
> *	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
>  	TLS_ECDHE_ECDSA_WITH_NULL_SHA
>  	TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
> *	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
> *	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
> *	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
> *	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
> *	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>  	TLS_ECDHE_RSA_WITH_NULL_SHA
>  	TLS_ECDHE_RSA_WITH_RC4_128_SHA
> *	TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
> *	TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
> *	TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
> *	TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
> *	TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
>  	TLS_ECDH_ECDSA_WITH_NULL_SHA
>  	TLS_ECDH_ECDSA_WITH_RC4_128_SHA
> *	TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
> *	TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
> *	TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
> *	TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
> *	TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
>  	TLS_ECDH_RSA_WITH_NULL_SHA
>  	TLS_ECDH_RSA_WITH_RC4_128_SHA
>  	TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
>  	TLS_ECDH_anon_WITH_AES_128_CBC_SHA
>  	TLS_ECDH_anon_WITH_AES_256_CBC_SHA
>  	TLS_ECDH_anon_WITH_NULL_SHA
>  	TLS_ECDH_anon_WITH_RC4_128_SHA
> *	TLS_EMPTY_RENEGOTIATION_INFO_SCSV
>  	TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
>  	TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
>  	TLS_KRB5_EXPORT_WITH_RC4_40_MD5
>  	TLS_KRB5_EXPORT_WITH_RC4_40_SHA
>  	TLS_KRB5_WITH_3DES_EDE_CBC_MD5
>  	TLS_KRB5_WITH_3DES_EDE_CBC_SHA
>  	TLS_KRB5_WITH_DES_CBC_MD5
>  	TLS_KRB5_WITH_DES_CBC_SHA
>  	TLS_KRB5_WITH_RC4_128_MD5
>  	TLS_KRB5_WITH_RC4_128_SHA
> *	TLS_RSA_WITH_AES_128_CBC_SHA
> *	TLS_RSA_WITH_AES_128_CBC_SHA256
> *	TLS_RSA_WITH_AES_256_CBC_SHA
> *	TLS_RSA_WITH_AES_256_CBC_SHA256
>  	TLS_RSA_WITH_NULL_SHA256
and the relevant connector in server.xml (line breaks added, sensitive 
information redacted) is
> <Connector port="8090" protocol="org.apache.coyote.http11.Http11Protocol"
>  compression="on" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata"
>  compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,
>  application/x-javascript,application/javascript,application/json"
>  maxThreads="150" SSLEnabled="true" scheme="https" secure="true" maxPostSize="10485760"
>  keystoreFile="/usr/share/apache-tomcat-7.0.57/$$$$$$$$$" keyAlias="$$$$$$$$"
>  clientAuth="false" sslProtocol="TLS" />


On the cloud box, running Tomcat 8, I get:
> java -showversion SSLInfo
> java version "1.7.0_151"
> OpenJDK Runtime Environment (IcedTea 2.6.11) (7u151-2.6.11-1~deb8u1)
> OpenJDK 64-Bit Server VM (build 24.151-b01, mixed mode)
>
> Default	Cipher
>  	SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
> *	SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
>  	SSL_DHE_DSS_WITH_DES_CBC_SHA
>  	SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
> *	SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>  	SSL_DHE_RSA_WITH_DES_CBC_SHA
>  	SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
>  	SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
>  	SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
>  	SSL_DH_anon_WITH_DES_CBC_SHA
>  	SSL_DH_anon_WITH_RC4_128_MD5
>  	SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
>  	SSL_RSA_EXPORT_WITH_RC4_40_MD5
> *	SSL_RSA_WITH_3DES_EDE_CBC_SHA
>  	SSL_RSA_WITH_DES_CBC_SHA
>  	SSL_RSA_WITH_NULL_MD5
>  	SSL_RSA_WITH_NULL_SHA
>  	SSL_RSA_WITH_RC4_128_MD5
>  	SSL_RSA_WITH_RC4_128_SHA
> *	TLS_DHE_DSS_WITH_AES_128_CBC_SHA
> *	TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
> *	TLS_DHE_DSS_WITH_AES_256_CBC_SHA
> *	TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
> *	TLS_DHE_RSA_WITH_AES_128_CBC_SHA
> *	TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
> *	TLS_DHE_RSA_WITH_AES_256_CBC_SHA
> *	TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
>  	TLS_DH_anon_WITH_AES_128_CBC_SHA
>  	TLS_DH_anon_WITH_AES_128_CBC_SHA256
>  	TLS_DH_anon_WITH_AES_256_CBC_SHA
>  	TLS_DH_anon_WITH_AES_256_CBC_SHA256
> *	TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
> *	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
> *	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
> *	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
> *	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
>  	TLS_ECDHE_ECDSA_WITH_NULL_SHA
>  	TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
> *	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
> *	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
> *	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
> *	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
> *	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>  	TLS_ECDHE_RSA_WITH_NULL_SHA
>  	TLS_ECDHE_RSA_WITH_RC4_128_SHA
> *	TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
> *	TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
> *	TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
> *	TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
> *	TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
>  	TLS_ECDH_ECDSA_WITH_NULL_SHA
>  	TLS_ECDH_ECDSA_WITH_RC4_128_SHA
> *	TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
> *	TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
> *	TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
> *	TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
> *	TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
>  	TLS_ECDH_RSA_WITH_NULL_SHA
>  	TLS_ECDH_RSA_WITH_RC4_128_SHA
>  	TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
>  	TLS_ECDH_anon_WITH_AES_128_CBC_SHA
>  	TLS_ECDH_anon_WITH_AES_256_CBC_SHA
>  	TLS_ECDH_anon_WITH_NULL_SHA
>  	TLS_ECDH_anon_WITH_RC4_128_SHA
> *	TLS_EMPTY_RENEGOTIATION_INFO_SCSV
>  	TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
>  	TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
>  	TLS_KRB5_EXPORT_WITH_RC4_40_MD5
>  	TLS_KRB5_EXPORT_WITH_RC4_40_SHA
>  	TLS_KRB5_WITH_3DES_EDE_CBC_MD5
>  	TLS_KRB5_WITH_3DES_EDE_CBC_SHA
>  	TLS_KRB5_WITH_DES_CBC_MD5
>  	TLS_KRB5_WITH_DES_CBC_SHA
>  	TLS_KRB5_WITH_RC4_128_MD5
>  	TLS_KRB5_WITH_RC4_128_SHA
> *	TLS_RSA_WITH_AES_128_CBC_SHA
> *	TLS_RSA_WITH_AES_128_CBC_SHA256
> *	TLS_RSA_WITH_AES_256_CBC_SHA
> *	TLS_RSA_WITH_AES_256_CBC_SHA256
>  	TLS_RSA_WITH_NULL_SHA256

and the connector here is, with the exception of port number and 
keystore information, the same.

--
JHHL

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message