Re: SSL problems with Tomcat 7.0.69
Mark, Thanks for the hint! I added the following line to my connector and it did the trick! ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" Cheers, James On 6/22/16, 9:55 AM, "Mark Thomas"wrote: On 22/06/2016 16:47, James Wiley wrote: > Hi Tomcat Users, > > Has anyone run into any issues supporting SSL using the JSSE Connector when > upgrading from 7.0.68 to 7.0.69? > > I help maintain a web application that uses tomcat7. A recent upgrade from > 7.0.68 to 7.0.69 has caused the tomcat7 instance to throw an “Error during > SSL Handshake” with the Apache proxy server. The tomcat instance is running > in AWS using a Amazon Linux image (very similar to CentOS) using JDK 1.7. > Also, it is proxied by an Apache HTTP server, version 2.2.31. > > I’ve gone through the SSL documentation a nd updated the settings without any luck. This instance is configured to use the JSSE Connector. The following configuration settings work fine under 7.0.68, but break under 7.0.69: > > protocol="org.apache.coyote.http11.Http11Protocol" >SSLEnabled="true" >maxThreads="150" >scheme="https" secure="true" >clientAuth="false" sslProtocol="TLS" > sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" >keystoreFile="" >keystorePass="" /> I suspect the more restricted cipher list is the root cause. You can use the Manager app or JMX to see which ciphers are enabled for a connector. Compare the results for 7.0.68 and 7.0.69 along with what httpd supports and adjust accordingly. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL problems with Tomcat 7.0.69
On 22/06/2016 16:47, James Wiley wrote: > Hi Tomcat Users, > > Has anyone run into any issues supporting SSL using the JSSE Connector when > upgrading from 7.0.68 to 7.0.69? > > I help maintain a web application that uses tomcat7. A recent upgrade from > 7.0.68 to 7.0.69 has caused the tomcat7 instance to throw an “Error during > SSL Handshake” with the Apache proxy server. The tomcat instance is running > in AWS using a Amazon Linux image (very similar to CentOS) using JDK 1.7. > Also, it is proxied by an Apache HTTP server, version 2.2.31. > > I’ve gone through the SSL documentation and updated the settings without any > luck. This instance is configured to use the JSSE Connector. The following > configuration settings work fine under 7.0.68, but break under 7.0.69: > > protocol="org.apache.coyote.http11.Http11Protocol" >SSLEnabled="true" >maxThreads="150" >scheme="https" secure="true" >clientAuth="false" sslProtocol="TLS" > sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" >keystoreFile="" >keystorePass="" /> I suspect the more restricted cipher list is the root cause. You can use the Manager app or JMX to see which ciphers are enabled for a connector. Compare the results for 7.0.68 and 7.0.69 along with what httpd supports and adjust accordingly. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
SSL problems with Tomcat 7.0.69
Hi Tomcat Users, Has anyone run into any issues supporting SSL using the JSSE Connector when upgrading from 7.0.68 to 7.0.69? I help maintain a web application that uses tomcat7. A recent upgrade from 7.0.68 to 7.0.69 has caused the tomcat7 instance to throw an “Error during SSL Handshake” with the Apache proxy server. The tomcat instance is running in AWS using a Amazon Linux image (very similar to CentOS) using JDK 1.7. Also, it is proxied by an Apache HTTP server, version 2.2.31. I’ve gone through the SSL documentation and updated the settings without any luck. This instance is configured to use the JSSE Connector. The following configuration settings work fine under 7.0.68, but break under 7.0.69: Thanks, James