Return-Path: <users-return-262815-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 6D755200D0A
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Wed,  4 Oct 2017 20:01:29 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 6BB181609DD; Wed,  4 Oct 2017 18:01:29 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id B154B1609D6
	for <archive-asf-public@cust-asf.ponee.io>; Wed,  4 Oct 2017 20:01:28 +0200 (CEST)
Received: (qmail 54423 invoked by uid 500); 4 Oct 2017 18:01:27 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 54412 invoked by uid 99); 4 Oct 2017 18:01:27 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 04 Oct 2017 18:01:27 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 22C04C76D1
	for <users@tomcat.apache.org>; Wed,  4 Oct 2017 18:01:26 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 0.999
X-Spam-Level: 
X-Spam-Status: No, score=0.999 tagged_above=-999 required=6.31
	tests=[KAM_LAZY_DOMAIN_SECURITY=1, SPF_HELO_PASS=-0.001]
	autolearn=disabled
Received: from mx1-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024)
	with ESMTP id eOHAmxEFroko for <users@tomcat.apache.org>;
	Wed,  4 Oct 2017 18:01:23 +0000 (UTC)
Received: from mailbox.servedge.com (li1281-212.members.linode.com [45.79.182.212])
	by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id DDC625FC99
	for <users@tomcat.apache.org>; Wed,  4 Oct 2017 18:01:22 +0000 (UTC)
Received: (qmail 11299 invoked by uid 513); 4 Oct 2017 13:01:22 -0500
Received: from pool-173-66-116-184.washdc.fios.verizon.net (HELO Christophers-iMac.local) (chris@christopherschultz.net@173.66.116.184)
  by mailbox.servedge.com with ECDHE-RSA-AES128-GCM-SHA256 encrypted SMTP; 4 Oct 2017 13:01:22 -0500
Subject: Re: Problem: (GSKit) No compatible cipher suite available between SSL
 end points.
To: users@tomcat.apache.org
References: <59D406BB.40308@touchtonecorp.com>
 <723f12a7-b302-207a-e594-c3e2bd9f098d@christopherschultz.net>
 <59D51228.3050704@touchtonecorp.com>
From: Christopher Schultz <chris@christopherschultz.net>
Message-ID: <ddb67266-6ce2-41a9-8fd3-04a1db71d5c8@christopherschultz.net>
Date: Wed, 4 Oct 2017 14:01:21 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0)
 Gecko/20100101 Thunderbird/52.3.0
MIME-Version: 1.0
In-Reply-To: <59D51228.3050704@touchtonecorp.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
archived-at: Wed, 04 Oct 2017 18:01:29 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

James,

On 10/4/17 12:54 PM, James H. H. Lampert wrote:
> I wrote:
>>> I mean, I know that I need to get HTTPAPI and Tomcat speaking
>>> the same language, but where do I begin?
> Here's what I got back when I ran the SSLLabs server test on the
> cloud server:
> 
>> Protocols TLS 1.3     No TLS 1.2     Yes TLS 1.1     Yes TLS 1.0
>> Yes SSL 3     No SSL 2     No
> 
>> Cipher Suites # TLS 1.2 (server has no preference) 
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp521r1
>> (eq. 15360 bits RSA)   FS     128 
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH secp521r1
>> (eq. 15360 bits RSA)   FS     128 
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp521r1
>> (eq. 15360 bits RSA)   FS     256 
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH secp521r1
>> (eq. 15360 bits RSA)   FS     256 # TLS 1.1 (server has no
>> preference) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH
>> secp521r1 (eq. 15360 bits RSA)   FS     128 
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp521r1
>> (eq. 15360 bits RSA)   FS     256 # TLS 1.0 (server has no
>> preference) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH
>> secp521r1 (eq. 15360 bits RSA)   FS     128 
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp521r1
>> (eq. 15360 bits RSA)   FS     256
> 
> On the HTTPAPI/FTPAPI list, I was told that HTTPAPI uses the
> operating system's SSL support (which was how I thought it worked),
> and directed to look through the system values to see what it
> supports. What I found was:
> 
> QSSLPCL     *SEC     Secure sockets layer protocols
>> *OPSYS
> (which I'm pretty sure means that all OS-supported protocols are 
> available; they can also be individually specified as any or all
> of *TLSV1, *SSLV3, and *SSLV2)
> 
> QSSLCSL     *SEC     Secure sockets layer cipher specification
> list
>> *RSA_AES_128_CBC_SHA *RSA_RC4_128_SHA *RSA_RC4_128_MD5 
>> *RSA_AES_256_CBC_SHA *RSA_3DES_EDE_CBC_SHA *RSA_DES_CBC_SHA 
>> *RSA_EXPORT_RC4_40_MD5 *RSA_EXPORT_RC2_CBC_40_MD5 *RSA_NULL_SHA 
>> *RSA_NULL_MD5
> 
> and unfortunately, IBM doesn't backport new cipher suites to older
> OS releases.

Looks like your server only has ECDHE-based suites available, and the
client supports none of those. Can you post your <Connector>
configuration from conf/server.xml?

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlnVIfEdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFjzgRAAjCWH+md+/fyVZn83
E6TiieaqXHOkD2CSWkgXk0nmG1+Vj2Llf6S/IYblNGeKZw+QY0tSTYVu57z5qE+Q
Hu2bf8o45xJ2QE+GZXbjkknCd+dz1TAyEAwHLAGsgbdhOUSCaeaLCNkk48kN7yoT
H0Y+KKuihHPrDsGJyErM8JUcN591UfBCFQOu44ACU0YaiSmhu6WzEDoDVKY5KitK
kdijejhT55gOkLHUDkwLLgimAEdcRpSSy4NlCitJ2GuXEglBW7mYxnz9aMTC/Pye
JYA9VQvbkPXJQZmX+509H8cXei0AVCtv3hSRW3BsQHsopzGiqy7dGznWq206omd5
5KckRzS5e7dIxyIM3Rt4zg27BDMeA4QEPvO+ADYb7OenYIVAKHi8EvqDgRwAzVYt
t+d79NZVmNl3ISc8Quau+Pjklx9ihgqQXANDQDQoaK0BK/+IGwGHANIbkDxo6WK0
o6cK1iodG0+/eKE8X9cwCIW/xt1pKuXZlKbjE3ZbUHpDWJb2vVYjBowMJ/S7foGm
OlCXeRky99JCckxztxz19glAviokzrL70DwvOSBkyMFZP6ml08byD7S6hxOi8Gk8
iw9EtCnF98fvWbFRzAp43ngBpWNDlNYTwBAqk759wPM7LHiiLejJ1jWM9iOOkw+O
2A1YRhrorJdUMXFRshZbsi9se8U=
=JfBi
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org