someone put cipherSuites patch on TC 7 Connector..
*IF you are implementing TC7 Connector with cipherSuites attribute support and
have not specified cipherSuites supported by your ppk keys*
then yes its tomcats fault
Otherwise its not..
Ciao,
Martin Gainty
______________________________________________
Verzicht und Vertraulichkeitanmerkung
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung.
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung
fuer den Inhalt uebernehmen.
> Date: Fri, 15 Feb 2013 12:36:53 -0500
> From: ch...@christopherschultz.net
> To: users@tomcat.apache.org
> Subject: Re: Tomcat does not accept connections from Safari on iPad vs an SSL
> connector with JSSE ciphers
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Giuseppe,
>
> On 2/15/13 9:07 AM, Giuseppe Sacco wrote:
> > Debugging the SSL handshake, I found that the problem is really
> > about ciphers because the handshake fails with exception
> > javax.net.ssl.SSLHandshakeException: no cipher suites in common
> >
> > So, this is really something to be investigated in JSSE instead of
> > tomcat. I am sorry for noise in this list :-(
>
> We were pretty sure it wasn't Tomcat's fault, but we can still
> probably help.
>
> > Allow legacy hello messages: true [snip] http-192.168.1.55-8443-1,
> > READ: SSLv3 Handshake, length = 75 *** ClientHello, SSLv3
> > RandomCookie: GMT: 1360933724 bytes = { 203, 86, 168, 88, 75, 77,
> > 52, 134, 4, 76, 204, 78, 0, 160, 168, 123, 96, 78, 106, 23, 40, 47,
> > 219, 81, 28, 23, 174, 156 } Session ID: {} Cipher Suites:
> > [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, Unknown 0x0:0x3d, Unknown
> > 0x0:0x3c, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA,
> > SSL_RSA_WITH_RC4_128_MD5, TLS_RSA_WITH_AES_256_CBC_SHA,
> > SSL_RSA_WITH_3DES_EDE_CBC_SHA, Unknown 0x0:0x67, Unknown 0x0:0x6b,
> > TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
> > SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, Unknown 0x0:0x3b,
> > SSL_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5] Compression Methods:
> > { 0 } ***
>
> So the client is doing an SSLv3 handshake. The message above about
> allowing legacy "hellos" seems like it should support a SSLv3
> handshake. Looking at the ciphers, your JVM (without BouncyCastle) and
> client truly have no overlap. I'm actually surprised that your JVM
> does not support any TLS_RSA_* or TLS_DHE_* ciphers. Can you re-run my
> cipher-dump program without BouncyCastle and provide the full output?
> I was a little unclear as to what you posted last time.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEAREIAAYFAlEecjUACgkQ9CaO5/Lv0PCEnwCdE7P2NRug8jYW+GcdcT2kUB7u
> ZGwAoKNBfMMPOQCAm2IATvldiWpaAVrO
> =qMlU
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
