Re: SSL problems with Tomcat 7.0.69

2016-06-22 Thread James Wiley 
Mark,

Thanks for the hint!  I added the following line to my connector and it did the 
trick!

ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, 
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, 
TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, 
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256"

Cheers,
James

On 6/22/16, 9:55 AM, "Mark Thomas"  wrote:

On 22/06/2016 16:47, James Wiley wrote:
> Hi Tomcat Users,
> 
> Has anyone run into any issues supporting SSL using the JSSE Connector when 
> upgrading from 7.0.68 to 7.0.69?
> 
> I help maintain a web application that uses tomcat7.  A recent upgrade from 
> 7.0.68 to 7.0.69 has caused the tomcat7 instance to throw an “Error during 
> SSL Handshake” with the Apache proxy server.  The tomcat instance is running 
> in AWS using a Amazon Linux image (very similar to CentOS) using JDK 1.7.  
> Also, it is proxied by an Apache HTTP server, version 2.2.31.
> 
> I’ve gone through the SSL documentation a
nd updated the settings without any luck.  This instance is configured to use 
the JSSE Connector.  The following configuration settings work fine under 
7.0.68, but break under 7.0.69:
> 
> protocol="org.apache.coyote.http11.Http11Protocol"
>SSLEnabled="true"
>maxThreads="150"
>scheme="https" secure="true"
>clientAuth="false" sslProtocol="TLS" 
> sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
>keystoreFile=""
>keystorePass="" />

I suspect the more restricted cipher list is the root cause. You can use
the Manager app or JMX to see which ciphers are enabled for a connector.
Compare the results for 7.0.68 and 7.0.69 along with what httpd supports
and adjust accordingly.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL problems with Tomcat 7.0.69

2016-06-22 Thread Mark Thomas 
On 22/06/2016 16:47, James Wiley wrote:
> Hi Tomcat Users,
> 
> Has anyone run into any issues supporting SSL using the JSSE Connector when 
> upgrading from 7.0.68 to 7.0.69?
> 
> I help maintain a web application that uses tomcat7.  A recent upgrade from 
> 7.0.68 to 7.0.69 has caused the tomcat7 instance to throw an “Error during 
> SSL Handshake” with the Apache proxy server.  The tomcat instance is running 
> in AWS using a Amazon Linux image (very similar to CentOS) using JDK 1.7.  
> Also, it is proxied by an Apache HTTP server, version 2.2.31.
> 
> I’ve gone through the SSL documentation and updated the settings without any 
> luck.  This instance is configured to use the JSSE Connector.  The following 
> configuration settings work fine under 7.0.68, but break under 7.0.69:
> 
> protocol="org.apache.coyote.http11.Http11Protocol"
>SSLEnabled="true"
>maxThreads="150"
>scheme="https" secure="true"
>clientAuth="false" sslProtocol="TLS" 
> sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
>keystoreFile=""
>keystorePass="" />

I suspect the more restricted cipher list is the root cause. You can use
the Manager app or JMX to see which ciphers are enabled for a connector.
Compare the results for 7.0.68 and 7.0.69 along with what httpd supports
and adjust accordingly.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

SSL problems with Tomcat 7.0.69

2016-06-22 Thread James Wiley 
Hi Tomcat Users,

Has anyone run into any issues supporting SSL using the JSSE Connector when 
upgrading from 7.0.68 to 7.0.69?

I help maintain a web application that uses tomcat7.  A recent upgrade from 
7.0.68 to 7.0.69 has caused the tomcat7 instance to throw an “Error during SSL 
Handshake” with the Apache proxy server.  The tomcat instance is running in AWS 
using a Amazon Linux image (very similar to CentOS) using JDK 1.7.  Also, it is 
proxied by an Apache HTTP server, version 2.2.31.

I’ve gone through the SSL documentation and updated the settings without any 
luck.  This instance is configured to use the JSSE Connector.  The following 
configuration settings work fine under 7.0.68, but break under 7.0.69:



Thanks,
James