-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Musassir,
On 1/4/14, 4:08 PM, Christopher Schultz wrote: > Musassir, > > On 1/3/14, 5:27 PM, Mudassir Aftab wrote: >> Again, we have to submit this as a bug.....TLS 1.2 is not >> working in Tomcat > > Tomcat 7.0.74 Oracle Java 1.7.0_45 tcnative 1.1.29 trunk > (essentially 1.2.29 > > tcnative$ make clean tcnative$ ./configure --with-apr=`which > apr-config` --with-java-home=/usr/local/java-7 --with-ssl tcnative$ > time make [...] make[1]: Leaving directory > `/home/cschultz/projects/tomcat-native-1.1.x/native' > > real 0m14.790s user 0m15.300s sys 0m1.840s > > tcnative$ cp -d .libs/* $CATALINA_HOME/bin > > tcnative$ cd $CATALINA_BASE > > tomcat$ cat conf/server.xml > > [...] <Connector port="8218" > protocol="org.apache.coyote.http11.Http11AprProtocol" > SSLEnabled="true" secure="true" scheme="https" > SSLCertificateKeyFile="[...]" SSLCertificateFile="[...]" > SSLCertificateChainFile="[...]" SSLProtocol="all" > executor="tomcatThreadPool" URIEncoding="UTF-8" /> [...] > > tomcat$ bin/startup.sh > > [...] Jan 04, 2014 3:17:26 PM > org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR > based Apache Tomcat Native library 1.1.30 using APR version 1.4.6. > Jan 04, 2014 3:17:26 PM > org.apache.catalina.core.AprLifecycleListener init INFO: APR > capabilities: IPv6 [true], sendfile [true], accept filters [false], > random [true]. Jan 04, 2014 3:17:26 PM > org.apache.catalina.core.AprLifecycleListener initializeSSL INFO: > OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013) > [...] > > tomcat$ openssl s_client -connect myhost:8218 [...] verify > error:num=19:self signed certificate in certificate chain [...] > SSL-Session: Protocol : TLSv1.2 Cipher : > DHE-RSA-AES256-GCM-SHA384 [...] > > *disconnect* > > I can confirm that Mozilla Firefox 26 on Mac OS X 10.9 can connect > using TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA cipher. > > Looks like TLS1.2 works just fine in the default configuration > (SSLProtocol="all" is the default). > > Let's try your configuration. I'm only going to change SSLProtocol > from "all" to "TLSv1": > > <Connector port="8218" > protocol="org.apache.coyote.http11.Http11AprProtocol" > SSLEnabled="true" secure="true" scheme="https" > SSLCertificateKeyFile="[...]" SSLCertificateFile="[...]" > SSLCertificateChainFile="[...]" SSLProtocol="TLSv1" > executor="tomcatThreadPool" URIEncoding="UTF-8" /> > > * Restart Tomcat* > > tomcat$ openssl s_client -connect myhost:8218 [...] SSL-Session: > Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA [...] > > Trying again with Firefox 26 give me > cipher=TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA. > > Let's try restricting to only your cipher. Let's make sure that my > OpenSSL version supports it, first: > > tomcat$ openssl ciphers -v | grep ECDHE-ECDSA-AES128-SHA256 > ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA > Enc=AES(128) Mac=SHA256 > > > Yup. Let's configure it in Tomcat: > > <Connector port="8218" > protocol="org.apache.coyote.http11.Http11AprProtocol" > SSLEnabled="true" secure="true" scheme="https" > SSLCipherSuite="ECDHE-ECDSA-AES128-SHA256" > SSLCertificateKeyFile="[...]" SSLCertificateFile="[...]" > SSLCertificateChainFile="[...]" SSLProtocol="TLSv1" > executor="tomcatThreadPool" URIEncoding="UTF-8" /> > > > $ openssl s_client -connect myhost:8218 CONNECTED(00000003) > 139718306563752:error:14077410:SSL > routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake > failure:s23_clnt.c:741: > > $ openssl s_client -tls1 -connect myhost:8218 CONNECTED(00000003) > 139965071759016:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 > alert handshake failure:s3_pkt.c:1256:SSL alert number 40 > 139965071759016:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl > handshake failure:s3_pkt.c:596: > > $ openssl s_client -tls1_1 -connect myhost:8218 > CONNECTED(00000003) 140680041133736:error:1408F10B:SSL > routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337: > > $ openssl s_client -tls1_2 -connect myhost:8218 > CONNECTED(00000003) 139976873068200:error:1408F10B:SSL > routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337: > > Firefox also fails with "ssl_error_no_cypher_overlap". > > $ $ sslscan myhost:8218 _ ___ ___| |___ ___ __ _ _ __ / __/ __| / > __|/ __/ _` | '_ \ \__ \__ \ \__ \ (_| (_| | | | | > |___/___/_|___/\___\__,_|_| |_| > > Version 1.8.2 http://www.titania.co.uk Copyright Ian > Ventura-Whiting 2009 > > Testing SSL server myhost on port 8218 > > Supported Server Cipher(s): Failed SSLv3 256 bits > ECDHE-RSA-AES256-GCM-SHA384 Failed SSLv3 256 bits > ECDHE-ECDSA-AES256-GCM-SHA384 Failed SSLv3 256 bits > ECDHE-RSA-AES256-SHA384 Failed SSLv3 256 bits > ECDHE-ECDSA-AES256-SHA384 Rejected SSLv3 256 bits > ECDHE-RSA-AES256-SHA Rejected SSLv3 256 bits > ECDHE-ECDSA-AES256-SHA Rejected SSLv3 256 bits > SRP-DSS-AES-256-CBC-SHA Rejected SSLv3 256 bits > SRP-RSA-AES-256-CBC-SHA Failed SSLv3 256 bits > DHE-DSS-AES256-GCM-SHA384 Failed SSLv3 256 bits > DHE-RSA-AES256-GCM-SHA384 Failed SSLv3 256 bits > DHE-RSA-AES256-SHA256 Failed SSLv3 256 bits > DHE-DSS-AES256-SHA256 Rejected SSLv3 256 bits > DHE-RSA-AES256-SHA Rejected SSLv3 256 bits DHE-DSS-AES256-SHA > Rejected SSLv3 256 bits DHE-RSA-CAMELLIA256-SHA Rejected SSLv3 > 256 bits DHE-DSS-CAMELLIA256-SHA Rejected SSLv3 256 bits > AECDH-AES256-SHA Rejected SSLv3 256 bits SRP-AES-256-CBC-SHA > Failed SSLv3 256 bits ADH-AES256-GCM-SHA384 Failed SSLv3 > 256 bits ADH-AES256-SHA256 Rejected SSLv3 256 bits > ADH-AES256-SHA Rejected SSLv3 256 bits ADH-CAMELLIA256-SHA > Failed SSLv3 256 bits ECDH-RSA-AES256-GCM-SHA384 Failed > SSLv3 256 bits ECDH-ECDSA-AES256-GCM-SHA384 Failed SSLv3 256 > bits ECDH-RSA-AES256-SHA384 Failed SSLv3 256 bits > ECDH-ECDSA-AES256-SHA384 Rejected SSLv3 256 bits > ECDH-RSA-AES256-SHA Rejected SSLv3 256 bits > ECDH-ECDSA-AES256-SHA Failed SSLv3 256 bits AES256-GCM-SHA384 > Failed SSLv3 256 bits AES256-SHA256 Rejected SSLv3 256 bits > AES256-SHA Rejected SSLv3 256 bits CAMELLIA256-SHA Failed > SSLv3 256 bits PSK-AES256-CBC-SHA Rejected SSLv3 168 bits > ECDHE-RSA-DES-CBC3-SHA Rejected SSLv3 168 bits > ECDHE-ECDSA-DES-CBC3-SHA Rejected SSLv3 168 bits > SRP-DSS-3DES-EDE-CBC-SHA Rejected SSLv3 168 bits > SRP-RSA-3DES-EDE-CBC-SHA Rejected SSLv3 168 bits > EDH-RSA-DES-CBC3-SHA Rejected SSLv3 168 bits > EDH-DSS-DES-CBC3-SHA Rejected SSLv3 168 bits AECDH-DES-CBC3-SHA > Rejected SSLv3 168 bits SRP-3DES-EDE-CBC-SHA Rejected SSLv3 > 168 bits ADH-DES-CBC3-SHA Rejected SSLv3 168 bits > ECDH-RSA-DES-CBC3-SHA Rejected SSLv3 168 bits > ECDH-ECDSA-DES-CBC3-SHA Rejected SSLv3 168 bits DES-CBC3-SHA > Failed SSLv3 168 bits PSK-3DES-EDE-CBC-SHA Failed SSLv3 > 128 bits ECDHE-RSA-AES128-GCM-SHA256 Failed SSLv3 128 bits > ECDHE-ECDSA-AES128-GCM-SHA256 Failed SSLv3 128 bits > ECDHE-RSA-AES128-SHA256 Failed SSLv3 128 bits > ECDHE-ECDSA-AES128-SHA256 Rejected SSLv3 128 bits > ECDHE-RSA-AES128-SHA Rejected SSLv3 128 bits > ECDHE-ECDSA-AES128-SHA Rejected SSLv3 128 bits > SRP-DSS-AES-128-CBC-SHA Rejected SSLv3 128 bits > SRP-RSA-AES-128-CBC-SHA Failed SSLv3 128 bits > DHE-DSS-AES128-GCM-SHA256 Failed SSLv3 128 bits > DHE-RSA-AES128-GCM-SHA256 Failed SSLv3 128 bits > DHE-RSA-AES128-SHA256 Failed SSLv3 128 bits > DHE-DSS-AES128-SHA256 Rejected SSLv3 128 bits > DHE-RSA-AES128-SHA Rejected SSLv3 128 bits DHE-DSS-AES128-SHA > Rejected SSLv3 128 bits DHE-RSA-SEED-SHA Rejected SSLv3 128 > bits DHE-DSS-SEED-SHA Rejected SSLv3 128 bits > DHE-RSA-CAMELLIA128-SHA Rejected SSLv3 128 bits > DHE-DSS-CAMELLIA128-SHA Rejected SSLv3 128 bits > AECDH-AES128-SHA Rejected SSLv3 128 bits SRP-AES-128-CBC-SHA > Failed SSLv3 128 bits ADH-AES128-GCM-SHA256 Failed SSLv3 > 128 bits ADH-AES128-SHA256 Rejected SSLv3 128 bits > ADH-AES128-SHA Rejected SSLv3 128 bits ADH-SEED-SHA Rejected > SSLv3 128 bits ADH-CAMELLIA128-SHA Failed SSLv3 128 bits > ECDH-RSA-AES128-GCM-SHA256 Failed SSLv3 128 bits > ECDH-ECDSA-AES128-GCM-SHA256 Failed SSLv3 128 bits > ECDH-RSA-AES128-SHA256 Failed SSLv3 128 bits > ECDH-ECDSA-AES128-SHA256 Rejected SSLv3 128 bits > ECDH-RSA-AES128-SHA Rejected SSLv3 128 bits > ECDH-ECDSA-AES128-SHA Failed SSLv3 128 bits AES128-GCM-SHA256 > Failed SSLv3 128 bits AES128-SHA256 Rejected SSLv3 128 bits > AES128-SHA Rejected SSLv3 128 bits SEED-SHA Rejected SSLv3 128 > bits CAMELLIA128-SHA Failed SSLv3 128 bits > PSK-AES128-CBC-SHA Rejected SSLv3 128 bits ECDHE-RSA-RC4-SHA > Rejected SSLv3 128 bits ECDHE-ECDSA-RC4-SHA Rejected SSLv3 128 > bits AECDH-RC4-SHA Rejected SSLv3 128 bits ADH-RC4-MD5 Rejected > SSLv3 128 bits ECDH-RSA-RC4-SHA Rejected SSLv3 128 bits > ECDH-ECDSA-RC4-SHA Rejected SSLv3 128 bits RC4-SHA Rejected > SSLv3 128 bits RC4-MD5 Failed SSLv3 128 bits PSK-RC4-SHA > Rejected SSLv3 56 bits EDH-RSA-DES-CBC-SHA Rejected SSLv3 56 > bits EDH-DSS-DES-CBC-SHA Rejected SSLv3 56 bits > ADH-DES-CBC-SHA Rejected SSLv3 56 bits DES-CBC-SHA Rejected > SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA Rejected SSLv3 40 bits > EXP-EDH-DSS-DES-CBC-SHA Rejected SSLv3 40 bits > EXP-ADH-DES-CBC-SHA Rejected SSLv3 40 bits EXP-DES-CBC-SHA > Rejected SSLv3 40 bits EXP-RC2-CBC-MD5 Rejected SSLv3 40 bits > EXP-ADH-RC4-MD5 Rejected SSLv3 40 bits EXP-RC4-MD5 Rejected > SSLv3 0 bits ECDHE-RSA-NULL-SHA Rejected SSLv3 0 bits > ECDHE-ECDSA-NULL-SHA Rejected SSLv3 0 bits AECDH-NULL-SHA > Rejected SSLv3 0 bits ECDH-RSA-NULL-SHA Rejected SSLv3 0 > bits ECDH-ECDSA-NULL-SHA Failed SSLv3 0 bits NULL-SHA256 > Rejected SSLv3 0 bits NULL-SHA Rejected SSLv3 0 bits > NULL-MD5 Failed TLSv1 256 bits ECDHE-RSA-AES256-GCM-SHA384 > Failed TLSv1 256 bits ECDHE-ECDSA-AES256-GCM-SHA384 Failed > TLSv1 256 bits ECDHE-RSA-AES256-SHA384 Failed TLSv1 256 bits > ECDHE-ECDSA-AES256-SHA384 Rejected TLSv1 256 bits > ECDHE-RSA-AES256-SHA Rejected TLSv1 256 bits > ECDHE-ECDSA-AES256-SHA Rejected TLSv1 256 bits > SRP-DSS-AES-256-CBC-SHA Rejected TLSv1 256 bits > SRP-RSA-AES-256-CBC-SHA Failed TLSv1 256 bits > DHE-DSS-AES256-GCM-SHA384 Failed TLSv1 256 bits > DHE-RSA-AES256-GCM-SHA384 Failed TLSv1 256 bits > DHE-RSA-AES256-SHA256 Failed TLSv1 256 bits > DHE-DSS-AES256-SHA256 Rejected TLSv1 256 bits > DHE-RSA-AES256-SHA Rejected TLSv1 256 bits DHE-DSS-AES256-SHA > Rejected TLSv1 256 bits DHE-RSA-CAMELLIA256-SHA Rejected TLSv1 > 256 bits DHE-DSS-CAMELLIA256-SHA Rejected TLSv1 256 bits > AECDH-AES256-SHA Rejected TLSv1 256 bits SRP-AES-256-CBC-SHA > Failed TLSv1 256 bits ADH-AES256-GCM-SHA384 Failed TLSv1 > 256 bits ADH-AES256-SHA256 Rejected TLSv1 256 bits > ADH-AES256-SHA Rejected TLSv1 256 bits ADH-CAMELLIA256-SHA > Failed TLSv1 256 bits ECDH-RSA-AES256-GCM-SHA384 Failed > TLSv1 256 bits ECDH-ECDSA-AES256-GCM-SHA384 Failed TLSv1 256 > bits ECDH-RSA-AES256-SHA384 Failed TLSv1 256 bits > ECDH-ECDSA-AES256-SHA384 Rejected TLSv1 256 bits > ECDH-RSA-AES256-SHA Rejected TLSv1 256 bits > ECDH-ECDSA-AES256-SHA Failed TLSv1 256 bits AES256-GCM-SHA384 > Failed TLSv1 256 bits AES256-SHA256 Rejected TLSv1 256 bits > AES256-SHA Rejected TLSv1 256 bits CAMELLIA256-SHA Failed > TLSv1 256 bits PSK-AES256-CBC-SHA Rejected TLSv1 168 bits > ECDHE-RSA-DES-CBC3-SHA Rejected TLSv1 168 bits > ECDHE-ECDSA-DES-CBC3-SHA Rejected TLSv1 168 bits > SRP-DSS-3DES-EDE-CBC-SHA Rejected TLSv1 168 bits > SRP-RSA-3DES-EDE-CBC-SHA Rejected TLSv1 168 bits > EDH-RSA-DES-CBC3-SHA Rejected TLSv1 168 bits > EDH-DSS-DES-CBC3-SHA Rejected TLSv1 168 bits AECDH-DES-CBC3-SHA > Rejected TLSv1 168 bits SRP-3DES-EDE-CBC-SHA Rejected TLSv1 > 168 bits ADH-DES-CBC3-SHA Rejected TLSv1 168 bits > ECDH-RSA-DES-CBC3-SHA Rejected TLSv1 168 bits > ECDH-ECDSA-DES-CBC3-SHA Rejected TLSv1 168 bits DES-CBC3-SHA > Failed TLSv1 168 bits PSK-3DES-EDE-CBC-SHA Failed TLSv1 > 128 bits ECDHE-RSA-AES128-GCM-SHA256 Failed TLSv1 128 bits > ECDHE-ECDSA-AES128-GCM-SHA256 Failed TLSv1 128 bits > ECDHE-RSA-AES128-SHA256 Failed TLSv1 128 bits > ECDHE-ECDSA-AES128-SHA256 Rejected TLSv1 128 bits > ECDHE-RSA-AES128-SHA Rejected TLSv1 128 bits > ECDHE-ECDSA-AES128-SHA Rejected TLSv1 128 bits > SRP-DSS-AES-128-CBC-SHA Rejected TLSv1 128 bits > SRP-RSA-AES-128-CBC-SHA Failed TLSv1 128 bits > DHE-DSS-AES128-GCM-SHA256 Failed TLSv1 128 bits > DHE-RSA-AES128-GCM-SHA256 Failed TLSv1 128 bits > DHE-RSA-AES128-SHA256 Failed TLSv1 128 bits > DHE-DSS-AES128-SHA256 Rejected TLSv1 128 bits > DHE-RSA-AES128-SHA Rejected TLSv1 128 bits DHE-DSS-AES128-SHA > Rejected TLSv1 128 bits DHE-RSA-SEED-SHA Rejected TLSv1 128 > bits DHE-DSS-SEED-SHA Rejected TLSv1 128 bits > DHE-RSA-CAMELLIA128-SHA Rejected TLSv1 128 bits > DHE-DSS-CAMELLIA128-SHA Rejected TLSv1 128 bits > AECDH-AES128-SHA Rejected TLSv1 128 bits SRP-AES-128-CBC-SHA > Failed TLSv1 128 bits ADH-AES128-GCM-SHA256 Failed TLSv1 > 128 bits ADH-AES128-SHA256 Rejected TLSv1 128 bits > ADH-AES128-SHA Rejected TLSv1 128 bits ADH-SEED-SHA Rejected > TLSv1 128 bits ADH-CAMELLIA128-SHA Failed TLSv1 128 bits > ECDH-RSA-AES128-GCM-SHA256 Failed TLSv1 128 bits > ECDH-ECDSA-AES128-GCM-SHA256 Failed TLSv1 128 bits > ECDH-RSA-AES128-SHA256 Failed TLSv1 128 bits > ECDH-ECDSA-AES128-SHA256 Rejected TLSv1 128 bits > ECDH-RSA-AES128-SHA Rejected TLSv1 128 bits > ECDH-ECDSA-AES128-SHA Failed TLSv1 128 bits AES128-GCM-SHA256 > Failed TLSv1 128 bits AES128-SHA256 Rejected TLSv1 128 bits > AES128-SHA Rejected TLSv1 128 bits SEED-SHA Rejected TLSv1 128 > bits CAMELLIA128-SHA Failed TLSv1 128 bits > PSK-AES128-CBC-SHA Rejected TLSv1 128 bits ECDHE-RSA-RC4-SHA > Rejected TLSv1 128 bits ECDHE-ECDSA-RC4-SHA Rejected TLSv1 128 > bits AECDH-RC4-SHA Rejected TLSv1 128 bits ADH-RC4-MD5 Rejected > TLSv1 128 bits ECDH-RSA-RC4-SHA Rejected TLSv1 128 bits > ECDH-ECDSA-RC4-SHA Rejected TLSv1 128 bits RC4-SHA Rejected > TLSv1 128 bits RC4-MD5 Failed TLSv1 128 bits PSK-RC4-SHA > Rejected TLSv1 56 bits EDH-RSA-DES-CBC-SHA Rejected TLSv1 56 > bits EDH-DSS-DES-CBC-SHA Rejected TLSv1 56 bits > ADH-DES-CBC-SHA Rejected TLSv1 56 bits DES-CBC-SHA Rejected > TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA Rejected TLSv1 40 bits > EXP-EDH-DSS-DES-CBC-SHA Rejected TLSv1 40 bits > EXP-ADH-DES-CBC-SHA Rejected TLSv1 40 bits EXP-DES-CBC-SHA > Rejected TLSv1 40 bits EXP-RC2-CBC-MD5 Rejected TLSv1 40 bits > EXP-ADH-RC4-MD5 Rejected TLSv1 40 bits EXP-RC4-MD5 Rejected > TLSv1 0 bits ECDHE-RSA-NULL-SHA Rejected TLSv1 0 bits > ECDHE-ECDSA-NULL-SHA Rejected TLSv1 0 bits AECDH-NULL-SHA > Rejected TLSv1 0 bits ECDH-RSA-NULL-SHA Rejected TLSv1 0 > bits ECDH-ECDSA-NULL-SHA Failed TLSv1 0 bits NULL-SHA256 > Rejected TLSv1 0 bits NULL-SHA Rejected TLSv1 0 bits > NULL-MD5 > > The cipher appears to be supported by both client (OpenSSL > s_client) and server (Also using the same version of OpenSSL) but > the handshake cannot complete. > > Let's try another cipher. How about one that worked before: > DHE-RSA-AES256-SHA > > > <Connector port="8218" > protocol="org.apache.coyote.http11.Http11AprProtocol" > SSLEnabled="true" secure="true" scheme="https" > SSLCipherSuite="DHE-RSA-AES256-SHA" SSLCertificateKeyFile="[...]" > SSLCertificateFile="[...]" SSLCertificateChainFile="[...]" > SSLProtocol="TLSv1" executor="tomcatThreadPool" URIEncoding="UTF-8" > /> > > $ openssl c_client -connect myhost:8218 [...] SSL-Session: Protocol > : TLSv1 Cipher : DHE-RSA-AES256-SHA [...] > > Works. Firefox 26 also works. > > There must be some kind of problem with configuring > ECDHE-ECDSA-AES128-SHA256 specifically. Try another cipher? Oh, I also tried this: <Connector port="8218" protocol="org.apache.coyote.http11.Http11AprProtocol" SSLEnabled="true" secure="true" scheme="https" SSLCertificateKeyFile="[...]" SSLCertificateFile="[...]" SSLCertificateChainFile="[...]" SSLProtocol="TLSv1" executor="tomcatThreadPool" URIEncoding="UTF-8" /> $ openssl s_client -connect myhost:8218 -cipher ECDHE-ECDSA-AES128-SHA256 CONNECTED(00000003) 140418231797416:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:741: (Try some other cipher) $ openssl s_client -connect myhost:8218 -cipher DHE-RSA-AES256-SHA [...] SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA [...] $ sslscan myhost:8218 | grep ECDHE-ECDSA Failed SSLv3 256 bits ECDHE-ECDSA-AES256-GCM-SHA384 Failed SSLv3 256 bits ECDHE-ECDSA-AES256-SHA384 Rejected SSLv3 256 bits ECDHE-ECDSA-AES256-SHA Rejected SSLv3 168 bits ECDHE-ECDSA-DES-CBC3-SHA Failed SSLv3 128 bits ECDHE-ECDSA-AES128-GCM-SHA256 Failed SSLv3 128 bits ECDHE-ECDSA-AES128-SHA256 Rejected SSLv3 128 bits ECDHE-ECDSA-AES128-SHA Rejected SSLv3 128 bits ECDHE-ECDSA-RC4-SHA Rejected SSLv3 0 bits ECDHE-ECDSA-NULL-SHA Failed TLSv1 256 bits ECDHE-ECDSA-AES256-GCM-SHA384 Failed TLSv1 256 bits ECDHE-ECDSA-AES256-SHA384 Rejected TLSv1 256 bits ECDHE-ECDSA-AES256-SHA Rejected TLSv1 168 bits ECDHE-ECDSA-DES-CBC3-SHA Failed TLSv1 128 bits ECDHE-ECDSA-AES128-GCM-SHA256 Failed TLSv1 128 bits ECDHE-ECDSA-AES128-SHA256 Rejected TLSv1 128 bits ECDHE-ECDSA-AES128-SHA Rejected TLSv1 128 bits ECDHE-ECDSA-RC4-SHA Rejected TLSv1 0 bits ECDHE-ECDSA-NULL-SHA It looks like there is something wrong with the ECDHE-ECDSA suites. If anything, this is an OpenSSL problem and not a Tomcat one: Tomcat doesn't do anything with the crypto, here. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSyHqTAAoJEBzwKT+lPKRYn+UP/2NWRHf6kIinwnbic7IQ2EKR 097yrD4PO0P8HOn9I6vLV7SRYOXw0pJ7ysBMccyH3xSr8jsfgaLNqOA44Lkhi3SQ pcjr+vtH5wsRljnZ/cYk/hTeDV6iZszNqdN/dRaxuXAYhOkilGcMw9onOGTnTC1e /MOBTfaMn42VzApW/jlnynS4EkLxyF9M4l3yfky9nmtIaMS0Nrb+m+rDZIm22SJ3 z2ei6VsD1zgpLOnuwmOx8nurENNggOVAlmbiXI0GBLIDvHkrsTp2dOZzn0HM5Tea 1bx5Rz+jQu4BqombwsuqF4XKLyuURzz1JzFZQzZ+AuBny0VOEjOj4ib7Eo4t8+nM Xd/iR7xNvMn4xRdsmHdxOpNJZJSgW33s9a6v0U4o3skIU50kHDXmKdP9qlt43V3n RNDNCc8N3vgX7IivyDwhE9+VozCLuyCa6Sd7uteJlUH1urDcdvlWMPlnkwG4+sS8 WrBswUsp8FQpNJnWkZWgFu9lmsX57NDotAPrI8snH745D3JiCYRwb80H6ls3xLnC Cv74vA8J8iyZ5pVuu/AgNmFZNvoc/Rvp0R/ZNvZVx8MsaBmO0KMvJGhFyCsnKiOz h7zcQV4GT6SFOEMizbtyADicPcVH2LtBnjvktyogh8Sfq3g/d4WzooUWd5awIEO1 TncOiYG9S/aBjVZUBJXH =PNIn -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org