subject:"\[openssl\-users\] Problem in connecting to Java \(Tomcat\) server with ECDHE ciphers"

Re: [openssl-users] Problem in connecting to Java (Tomcat) server with ECDHE ciphers

2017-06-06 Thread Porter, Andrew

Thanks Steven for pointing me in the right direction: when I switched to an 
EC/ECDSA key for tomcat then openssl could connect using 
ECDHE-ECDSA-AES256-GCM-SHA384.

But only after installing the unlimited strength policy files on the server, 
with the defaults the best was ECDHE-ECDSA-AES128-GCM-SHA256.

Andrew

From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Steven Collison
Sent: Tuesday, June 06, 2017 07:30
To: openssl-users@openssl.org
Cc: openssl-...@openssl.org
Subject: Re: [openssl-users] Problem in connecting to Java (Tomcat) server with 
ECDHE ciphers


As a sanity check, are you using an ECDSA certificate on your Tomcat server? 
ECDHE-ECDSA-AES256-GCM-SHA384 can’t be negotiated without one. Perhaps you can 
try
openssl s_client -connect a.b.c.d: -msg -debug -cipher 
“ECDHE-RSA-AES256-GCM-SHA384” if you’re using an RSA cert.

-Steven

On 3 Jun 2017, at 22:01, Pravesh Rai wrote:

Hi,

Even though I've disabled SSLvX protocols on both - client (openssl-1.0.2k)
& server (Java 1.8 with Tomcat), still getting following handshake error,
while executing:

"openssl s_client -connect a.b.c.d: -msg -debug -cipher
ECDHE-ECDSA-AES256-GCM-SHA384"


...
read from 0x213f50 [0x21c410] (7 bytes => 7 (0x7))
 - 15 03 03 00 02 02 28 ..(
<<< TLS 1.2 [length 0005]
15 03 03 00 02
<<< TLS 1.2 Alert [length 0002], fatal handshake_failure
02 28
14756:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure:.\ssl\s23_clnt.c:769:
...

And, such error happens, only when ECDHE ciphers are selected during the
connection.

Any clue on this?

Thanks,
PR
--
openssl-users mailing list
To unsubscribe: 
https://mta.openssl.org/mailman/listinfo/openssl-users
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Problem in connecting to Java (Tomcat) server with ECDHE ciphers

2017-06-06 Thread Steven Collison

As a sanity check, are you using an ECDSA certificate on your Tomcat 
server? ECDHE-ECDSA-AES256-GCM-SHA384 can’t be negotiated without one. 
Perhaps you can try
`openssl s_client -connect a.b.c.d: -msg -debug -cipher 
“ECDHE-RSA-AES256-GCM-SHA384”` if you’re using an RSA cert.



-Steven

On 3 Jun 2017, at 22:01, Pravesh Rai wrote:


Hi,

Even though I've disabled SSLvX protocols on both - client 
(openssl-1.0.2k)
& server (Java 1.8 with Tomcat), still getting following handshake 
error,

while executing:

"openssl s_client -connect a.b.c.d: -msg -debug -cipher
ECDHE-ECDSA-AES256-GCM-SHA384"


...
read from 0x213f50 [0x21c410] (7 bytes => 7 (0x7))
 - 15 03 03 00 02 02 28  ..(
<<< TLS 1.2  [length 0005]
15 03 03 00 02
<<< TLS 1.2 Alert [length 0002], fatal handshake_failure
02 28
14756:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure:.\ssl\s23_clnt.c:769:
...

And, such error happens, only when ECDHE ciphers are selected during 
the

connection.

Any clue on this?

Thanks,
PR
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Problem in connecting to Java (Tomcat) server with ECDHE ciphers

2017-06-05 Thread Porter, Andrew

Running sslscan against Tomcat 8.0.43 / Oracle Java 8u121 and a Tomcat 
server.xml containing

ciphers="HIGH:!aNULL:!RC4:!MD5:@STRENGTH"

shows the strongest cipher is

ECDHE-RSA-AES128-GCM-SHA256

Installing the Java unlimited strength policy files increases this to

ECDHE-RSA-AES256-GCM-SHA384

sslscan did not report any ECDSA ciphers from tomcat even when I changed the 
ciphers in server.xml to include them, even though a test Java program that 
enumerates supported ciphers did list (unlimited strength policy files)

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

So your openssl connect line below always failed for me.

Andrew

From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Pravesh Rai
Sent: Saturday, June 03, 2017 22:02
To: openssl-...@openssl.org
Cc: openssl-users@openssl.org
Subject: [openssl-users] Problem in connecting to Java (Tomcat) server with 
ECDHE ciphers

Hi,

Even though I've disabled SSLvX protocols on both - client (openssl-1.0.2k) & 
server (Java 1.8 with Tomcat), still getting following handshake error, while 
executing:

"openssl s_client -connect a.b.c.d: -msg -debug -cipher 
ECDHE-ECDSA-AES256-GCM-SHA384"


...
read from 0x213f50 [0x21c410] (7 bytes => 7 (0x7))
 - 15 03 03 00 02 02 28  ..(
<<< TLS 1.2  [length 0005]
15 03 03 00 02
<<< TLS 1.2 Alert [length 0002], fatal handshake_failure
02 28
14756:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake 
failure:.\ssl\s23_clnt.c:769:
...

And, such error happens, only when ECDHE ciphers are selected during the 
connection.

Any clue on this?

Thanks,
PR
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Problem in connecting to Java (Tomcat) server with ECDHE ciphers

2017-06-04 Thread Jeffrey Walton

On Sun, Jun 4, 2017 at 1:01 AM, Pravesh Rai  wrote:
> Hi,
>
> Even though I've disabled SSLvX protocols on both - client (openssl-1.0.2k)
> & server (Java 1.8 with Tomcat), still getting following handshake error,
> while executing:
>
> "openssl s_client -connect a.b.c.d: -msg -debug -cipher
> ECDHE-ECDSA-AES256-GCM-SHA384"
>

GCM mode is a TLS 1.2 cipher. It looks like Java 8 enables it by
default; cf. 
https://blogs.oracle.com/java-platform-group/jdk-8-will-use-tls-12-as-default.

Maybe something like:

openssl s_client -connect www.example.com:443 -tls1_2 -servername
www.example.com

The command uses SNI and TLS 1.2, which is pretty much standard
practice nowadays.

If that does not do it, then maybe you can use SSLscan to identify the
protocols and cipher suites the server supports.
https://github.com/rbsec/sslscan

Jeff
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Problem in connecting to Java (Tomcat) server with ECDHE ciphers

2017-06-03 Thread Pravesh Rai

Hi,

Even though I've disabled SSLvX protocols on both - client (openssl-1.0.2k)
& server (Java 1.8 with Tomcat), still getting following handshake error,
while executing:

"openssl s_client -connect a.b.c.d: -msg -debug -cipher
ECDHE-ECDSA-AES256-GCM-SHA384"


...
read from 0x213f50 [0x21c410] (7 bytes => 7 (0x7))
 - 15 03 03 00 02 02 28  ..(
<<< TLS 1.2  [length 0005]
15 03 03 00 02
<<< TLS 1.2 Alert [length 0002], fatal handshake_failure
02 28
14756:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure:.\ssl\s23_clnt.c:769:
...

And, such error happens, only when ECDHE ciphers are selected during the
connection.

Any clue on this?

Thanks,
PR
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Problem in connecting to Java (Tomcat) server with ECDHE ciphers

Re: [openssl-users] Problem in connecting to Java (Tomcat) server with ECDHE ciphers

Re: [openssl-users] Problem in connecting to Java (Tomcat) server with ECDHE ciphers

Re: [openssl-users] Problem in connecting to Java (Tomcat) server with ECDHE ciphers

[openssl-users] Problem in connecting to Java (Tomcat) server with ECDHE ciphers

5 matches

Site Navigation

Mail list logo

Footer information