tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James H. H. Lampert" <jam...@touchtonecorp.com>
Subject Re: Problem: (GSKit) No compatible cipher suite available between SSL end points.
Date Wed, 04 Oct 2017 19:44:55 GMT
On 10/4/17, 12:26 PM, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> James,
. . .
> Okay so you are in no way interfering with the defaults. That means
> you'll get (depending upon your exact versions of various things) a
> Tomcat which supports TLSv1 or later, and most of the cipher suites
> that are shown as "default" above.
>
> Your choice of TLS certificate may affect some of the things that you
> can do, but I see that you've got an RSA certificate from the output
> from SSLLabs, so you shouldn't have any problems with a DSS
> certificate or anything like that. (Use of DSS certs these days is
> fairly rare).
. . .
> Strange. I would have expected Tomcat to enable more cipher suites
> with a default configuration given the SSLInfo output above.
>
> Are you sure you are using the same Java version with Tomcat as you
> did to run those commands above?

Dear Mr. Schultz:
It sure looks like the same Java version. Here is what the manager returns:
> Apache Tomcat/8.5.14 (Debian) 1.7.0_151-b01 Oracle Corporation Linux 	3.16.0-4-amd64
	amd64

It would definitely be helpful if the OS/400 names of the cipher suites 
more precisely matched the Java names. To recap, the QSSLCSL system 
value on the AS/400 shows (using the OS/400 naming conventions)
> *RSA_AES_128_CBC_SHA
> *RSA_RC4_128_SHA
> *RSA_RC4_128_MD5
> *RSA_AES_256_CBC_SHA
> *RSA_3DES_EDE_CBC_SHA
> *RSA_DES_CBC_SHA
> *RSA_EXPORT_RC4_40_MD5
> *RSA_EXPORT_RC2_CBC_40_MD5
> *RSA_NULL_SHA
> *RSA_NULL_MD5

--
JHHL

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message