Re: Tomcat does not accept connections from Safari on iPad vs an SSL connector with JSSE ciphers

Fri, 15 Feb 2013 09:37:29 -0800 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Giuseppe,

On 2/15/13 9:07 AM, Giuseppe Sacco wrote:
> Debugging the SSL handshake, I found that the problem is really
> about ciphers because the handshake fails with exception 
> javax.net.ssl.SSLHandshakeException: no cipher suites in common
> 
> So, this is really something to be investigated in JSSE instead of 
> tomcat. I am sorry for noise in this list :-(

We were pretty sure it wasn't Tomcat's fault, but we can still
probably help.

> Allow legacy hello messages: true [snip] http-192.168.1.55-8443-1,
> READ: SSLv3 Handshake, length = 75 *** ClientHello, SSLv3 
> RandomCookie:  GMT: 1360933724 bytes = { 203, 86, 168, 88, 75, 77,
> 52, 134, 4, 76, 204, 78, 0, 160, 168, 123, 96, 78, 106, 23, 40, 47,
> 219, 81, 28, 23, 174,  156 } Session ID:  {} Cipher Suites:
> [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, Unknown 0x0:0x3d, Unknown
> 0x0:0x3c, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA,
> SSL_RSA_WITH_RC4_128_MD5, TLS_RSA_WITH_AES_256_CBC_SHA,
> SSL_RSA_WITH_3DES_EDE_CBC_SHA, Unknown 0x0:0x67, Unknown 0x0:0x6b,
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
> SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, Unknown 0x0:0x3b,
> SSL_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5] Compression Methods:
> { 0 } ***

So the client is doing an SSLv3 handshake. The message above about
allowing legacy "hellos" seems like it should support a SSLv3
handshake. Looking at the ciphers, your JVM (without BouncyCastle) and
client truly have no overlap. I'm actually surprised that your JVM
does not support any TLS_RSA_* or TLS_DHE_* ciphers. Can you re-run my
cipher-dump program without BouncyCastle and provide the full output?
I was a little unclear as to what you posted last time.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEAREIAAYFAlEecjUACgkQ9CaO5/Lv0PCEnwCdE7P2NRug8jYW+GcdcT2kUB7u
ZGwAoKNBfMMPOQCAm2IATvldiWpaAVrO
=qMlU
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to