-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Giuseppe,
On 2/15/13 9:07 AM, Giuseppe Sacco wrote: > Debugging the SSL handshake, I found that the problem is really > about ciphers because the handshake fails with exception > javax.net.ssl.SSLHandshakeException: no cipher suites in common > > So, this is really something to be investigated in JSSE instead of > tomcat. I am sorry for noise in this list :-( We were pretty sure it wasn't Tomcat's fault, but we can still probably help. > Allow legacy hello messages: true [snip] http-192.168.1.55-8443-1, > READ: SSLv3 Handshake, length = 75 *** ClientHello, SSLv3 > RandomCookie: GMT: 1360933724 bytes = { 203, 86, 168, 88, 75, 77, > 52, 134, 4, 76, 204, 78, 0, 160, 168, 123, 96, 78, 106, 23, 40, 47, > 219, 81, 28, 23, 174, 156 } Session ID: {} Cipher Suites: > [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, Unknown 0x0:0x3d, Unknown > 0x0:0x3c, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, > SSL_RSA_WITH_RC4_128_MD5, TLS_RSA_WITH_AES_256_CBC_SHA, > SSL_RSA_WITH_3DES_EDE_CBC_SHA, Unknown 0x0:0x67, Unknown 0x0:0x6b, > TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, > SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, Unknown 0x0:0x3b, > SSL_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5] Compression Methods: > { 0 } *** So the client is doing an SSLv3 handshake. The message above about allowing legacy "hellos" seems like it should support a SSLv3 handshake. Looking at the ciphers, your JVM (without BouncyCastle) and client truly have no overlap. I'm actually surprised that your JVM does not support any TLS_RSA_* or TLS_DHE_* ciphers. Can you re-run my cipher-dump program without BouncyCastle and provide the full output? I was a little unclear as to what you posted last time. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEAREIAAYFAlEecjUACgkQ9CaO5/Lv0PCEnwCdE7P2NRug8jYW+GcdcT2kUB7u ZGwAoKNBfMMPOQCAm2IATvldiWpaAVrO =qMlU -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org