Mark,
Thanks for the hint! I added the following line to my connector and it did the
trick!
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256"
Cheers,
James
On 6/22/16, 9:55 AM, "Mark Thomas" <ma...@apache.org> wrote:
On 22/06/2016 16:47, James Wiley wrote:
> Hi Tomcat Users,
>
> Has anyone run into any issues supporting SSL using the JSSE Connector when
> upgrading from 7.0.68 to 7.0.69?
>
> I help maintain a web application that uses tomcat7. A recent upgrade from
> 7.0.68 to 7.0.69 has caused the tomcat7 instance to throw an “Error during
> SSL Handshake” with the Apache proxy server. The tomcat instance is running
> in AWS using a Amazon Linux image (very similar to CentOS) using JDK 1.7.
> Also, it is proxied by an Apache HTTP server, version 2.2.31.
>
> I’ve gone through the SSL documentation a
nd updated the settings without any luck. This instance is configured to use
the JSSE Connector. The following configuration settings work fine under
7.0.68, but break under 7.0.69:
>
> protocol="org.apache.coyote.http11.Http11Protocol"
>SSLEnabled="true"
>maxThreads="150"
>scheme="https" secure="true"
>clientAuth="false" sslProtocol="TLS"
> sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
>keystoreFile=""
>keystorePass="" />
I suspect the more restricted cipher list is the root cause. You can use
the Manager app or JMX to see which ciphers are enabled for a connector.
Compare the results for 7.0.68 and 7.0.69 along with what httpd supports
and adjust accordingly.
Mark
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org