Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

Christopher Schultz Sat, 04 Jan 2014 13:18:57 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Musassir,


On 1/4/14, 4:08 PM, Christopher Schultz wrote:
> Musassir,
> 
> On 1/3/14, 5:27 PM, Mudassir Aftab wrote:
>> Again, we have to submit this as a bug.....TLS 1.2 is not
>> working in Tomcat
> 
> Tomcat 7.0.74 Oracle Java 1.7.0_45 tcnative 1.1.29 trunk
> (essentially 1.2.29
> 
> tcnative$ make clean tcnative$ ./configure --with-apr=`which
> apr-config` --with-java-home=/usr/local/java-7 --with-ssl tcnative$
> time make [...] make[1]: Leaving directory 
> `/home/cschultz/projects/tomcat-native-1.1.x/native'
> 
> real  0m14.790s user  0m15.300s sys   0m1.840s
> 
> tcnative$ cp -d .libs/* $CATALINA_HOME/bin
> 
> tcnative$ cd $CATALINA_BASE
> 
> tomcat$ cat conf/server.xml
> 
> [...] <Connector port="8218" 
> protocol="org.apache.coyote.http11.Http11AprProtocol" 
> SSLEnabled="true" secure="true" scheme="https" 
> SSLCertificateKeyFile="[...]" SSLCertificateFile="[...]" 
> SSLCertificateChainFile="[...]" SSLProtocol="all" 
> executor="tomcatThreadPool" URIEncoding="UTF-8" /> [...]
> 
> tomcat$ bin/startup.sh
> 
> [...] Jan 04, 2014 3:17:26 PM
> org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR
> based Apache Tomcat Native library 1.1.30 using APR version 1.4.6. 
> Jan 04, 2014 3:17:26 PM
> org.apache.catalina.core.AprLifecycleListener init INFO: APR
> capabilities: IPv6 [true], sendfile [true], accept filters [false],
> random [true]. Jan 04, 2014 3:17:26 PM
> org.apache.catalina.core.AprLifecycleListener initializeSSL INFO:
> OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013) 
> [...]
> 
> tomcat$ openssl s_client -connect myhost:8218 [...] verify
> error:num=19:self signed certificate in certificate chain [...] 
> SSL-Session: Protocol  : TLSv1.2 Cipher    :
> DHE-RSA-AES256-GCM-SHA384 [...]
> 
> *disconnect*
> 
> I can confirm that Mozilla Firefox 26 on Mac OS X 10.9 can connect 
> using TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA cipher.
> 
> Looks like TLS1.2 works just fine in the default configuration 
> (SSLProtocol="all" is the default).
> 
> Let's try your configuration. I'm only going to change SSLProtocol 
> from "all" to "TLSv1":
> 
> <Connector port="8218" 
> protocol="org.apache.coyote.http11.Http11AprProtocol" 
> SSLEnabled="true" secure="true" scheme="https" 
> SSLCertificateKeyFile="[...]" SSLCertificateFile="[...]" 
> SSLCertificateChainFile="[...]" SSLProtocol="TLSv1" 
> executor="tomcatThreadPool" URIEncoding="UTF-8" />
> 
> * Restart Tomcat*
> 
> tomcat$ openssl s_client -connect myhost:8218 [...] SSL-Session: 
> Protocol  : TLSv1 Cipher    : DHE-RSA-AES256-SHA [...]
> 
> Trying again with Firefox 26 give me 
> cipher=TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA.
> 
> Let's try restricting to only your cipher. Let's make sure that my 
> OpenSSL version supports it, first:
> 
> tomcat$ openssl ciphers -v | grep ECDHE-ECDSA-AES128-SHA256 
> ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA
> Enc=AES(128) Mac=SHA256
> 
> 
> Yup. Let's configure it in Tomcat:
> 
> <Connector port="8218" 
> protocol="org.apache.coyote.http11.Http11AprProtocol" 
> SSLEnabled="true" secure="true" scheme="https" 
> SSLCipherSuite="ECDHE-ECDSA-AES128-SHA256" 
> SSLCertificateKeyFile="[...]" SSLCertificateFile="[...]" 
> SSLCertificateChainFile="[...]" SSLProtocol="TLSv1" 
> executor="tomcatThreadPool" URIEncoding="UTF-8" />
> 
> 
> $ openssl s_client -connect myhost:8218 CONNECTED(00000003) 
> 139718306563752:error:14077410:SSL 
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake 
> failure:s23_clnt.c:741:
> 
> $ openssl s_client -tls1 -connect myhost:8218 CONNECTED(00000003) 
> 139965071759016:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 
> alert handshake failure:s3_pkt.c:1256:SSL alert number 40 
> 139965071759016:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl 
> handshake failure:s3_pkt.c:596:
> 
> $ openssl s_client -tls1_1 -connect myhost:8218 
> CONNECTED(00000003) 140680041133736:error:1408F10B:SSL
> routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:
> 
> $ openssl s_client -tls1_2 -connect myhost:8218 
> CONNECTED(00000003) 139976873068200:error:1408F10B:SSL
> routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:
> 
> Firefox also fails with "ssl_error_no_cypher_overlap".
> 
> $ $ sslscan myhost:8218 _ ___ ___| |___  ___ __ _ _ __ / __/ __| /
> __|/ __/ _` | '_ \ \__ \__ \ \__ \ (_| (_| | | | | 
> |___/___/_|___/\___\__,_|_| |_|
> 
> Version 1.8.2 http://www.titania.co.uk Copyright Ian
> Ventura-Whiting 2009
> 
> Testing SSL server myhost on port 8218
> 
> Supported Server Cipher(s): Failed    SSLv3  256 bits
> ECDHE-RSA-AES256-GCM-SHA384 Failed    SSLv3  256 bits
> ECDHE-ECDSA-AES256-GCM-SHA384 Failed    SSLv3  256 bits
> ECDHE-RSA-AES256-SHA384 Failed    SSLv3  256 bits
> ECDHE-ECDSA-AES256-SHA384 Rejected  SSLv3  256 bits
> ECDHE-RSA-AES256-SHA Rejected  SSLv3  256 bits
> ECDHE-ECDSA-AES256-SHA Rejected  SSLv3  256 bits
> SRP-DSS-AES-256-CBC-SHA Rejected  SSLv3  256 bits
> SRP-RSA-AES-256-CBC-SHA Failed    SSLv3  256 bits
> DHE-DSS-AES256-GCM-SHA384 Failed    SSLv3  256 bits
> DHE-RSA-AES256-GCM-SHA384 Failed    SSLv3  256 bits
> DHE-RSA-AES256-SHA256 Failed    SSLv3  256 bits
> DHE-DSS-AES256-SHA256 Rejected  SSLv3  256 bits
> DHE-RSA-AES256-SHA Rejected  SSLv3  256 bits  DHE-DSS-AES256-SHA 
> Rejected  SSLv3  256 bits  DHE-RSA-CAMELLIA256-SHA Rejected  SSLv3
> 256 bits  DHE-DSS-CAMELLIA256-SHA Rejected  SSLv3  256 bits
> AECDH-AES256-SHA Rejected  SSLv3  256 bits  SRP-AES-256-CBC-SHA 
> Failed    SSLv3  256 bits  ADH-AES256-GCM-SHA384 Failed    SSLv3
> 256 bits  ADH-AES256-SHA256 Rejected  SSLv3  256 bits
> ADH-AES256-SHA Rejected  SSLv3  256 bits  ADH-CAMELLIA256-SHA 
> Failed    SSLv3  256 bits  ECDH-RSA-AES256-GCM-SHA384 Failed
> SSLv3  256 bits  ECDH-ECDSA-AES256-GCM-SHA384 Failed    SSLv3  256
> bits  ECDH-RSA-AES256-SHA384 Failed    SSLv3  256 bits
> ECDH-ECDSA-AES256-SHA384 Rejected  SSLv3  256 bits
> ECDH-RSA-AES256-SHA Rejected  SSLv3  256 bits
> ECDH-ECDSA-AES256-SHA Failed    SSLv3  256 bits  AES256-GCM-SHA384 
> Failed    SSLv3  256 bits  AES256-SHA256 Rejected  SSLv3  256 bits
> AES256-SHA Rejected  SSLv3  256 bits  CAMELLIA256-SHA Failed
> SSLv3  256 bits  PSK-AES256-CBC-SHA Rejected  SSLv3  168 bits
> ECDHE-RSA-DES-CBC3-SHA Rejected  SSLv3  168 bits
> ECDHE-ECDSA-DES-CBC3-SHA Rejected  SSLv3  168 bits
> SRP-DSS-3DES-EDE-CBC-SHA Rejected  SSLv3  168 bits
> SRP-RSA-3DES-EDE-CBC-SHA Rejected  SSLv3  168 bits
> EDH-RSA-DES-CBC3-SHA Rejected  SSLv3  168 bits
> EDH-DSS-DES-CBC3-SHA Rejected  SSLv3  168 bits  AECDH-DES-CBC3-SHA 
> Rejected  SSLv3  168 bits  SRP-3DES-EDE-CBC-SHA Rejected  SSLv3
> 168 bits  ADH-DES-CBC3-SHA Rejected  SSLv3  168 bits
> ECDH-RSA-DES-CBC3-SHA Rejected  SSLv3  168 bits
> ECDH-ECDSA-DES-CBC3-SHA Rejected  SSLv3  168 bits  DES-CBC3-SHA 
> Failed    SSLv3  168 bits  PSK-3DES-EDE-CBC-SHA Failed    SSLv3
> 128 bits  ECDHE-RSA-AES128-GCM-SHA256 Failed    SSLv3  128 bits
> ECDHE-ECDSA-AES128-GCM-SHA256 Failed    SSLv3  128 bits
> ECDHE-RSA-AES128-SHA256 Failed    SSLv3  128 bits
> ECDHE-ECDSA-AES128-SHA256 Rejected  SSLv3  128 bits
> ECDHE-RSA-AES128-SHA Rejected  SSLv3  128 bits
> ECDHE-ECDSA-AES128-SHA Rejected  SSLv3  128 bits
> SRP-DSS-AES-128-CBC-SHA Rejected  SSLv3  128 bits
> SRP-RSA-AES-128-CBC-SHA Failed    SSLv3  128 bits
> DHE-DSS-AES128-GCM-SHA256 Failed    SSLv3  128 bits
> DHE-RSA-AES128-GCM-SHA256 Failed    SSLv3  128 bits
> DHE-RSA-AES128-SHA256 Failed    SSLv3  128 bits
> DHE-DSS-AES128-SHA256 Rejected  SSLv3  128 bits
> DHE-RSA-AES128-SHA Rejected  SSLv3  128 bits  DHE-DSS-AES128-SHA 
> Rejected  SSLv3  128 bits  DHE-RSA-SEED-SHA Rejected  SSLv3  128
> bits  DHE-DSS-SEED-SHA Rejected  SSLv3  128 bits
> DHE-RSA-CAMELLIA128-SHA Rejected  SSLv3  128 bits
> DHE-DSS-CAMELLIA128-SHA Rejected  SSLv3  128 bits
> AECDH-AES128-SHA Rejected  SSLv3  128 bits  SRP-AES-128-CBC-SHA 
> Failed    SSLv3  128 bits  ADH-AES128-GCM-SHA256 Failed    SSLv3
> 128 bits  ADH-AES128-SHA256 Rejected  SSLv3  128 bits
> ADH-AES128-SHA Rejected  SSLv3  128 bits  ADH-SEED-SHA Rejected
> SSLv3  128 bits  ADH-CAMELLIA128-SHA Failed    SSLv3  128 bits
> ECDH-RSA-AES128-GCM-SHA256 Failed    SSLv3  128 bits
> ECDH-ECDSA-AES128-GCM-SHA256 Failed    SSLv3  128 bits
> ECDH-RSA-AES128-SHA256 Failed    SSLv3  128 bits
> ECDH-ECDSA-AES128-SHA256 Rejected  SSLv3  128 bits
> ECDH-RSA-AES128-SHA Rejected  SSLv3  128 bits
> ECDH-ECDSA-AES128-SHA Failed    SSLv3  128 bits  AES128-GCM-SHA256 
> Failed    SSLv3  128 bits  AES128-SHA256 Rejected  SSLv3  128 bits
> AES128-SHA Rejected  SSLv3  128 bits  SEED-SHA Rejected  SSLv3  128
> bits  CAMELLIA128-SHA Failed    SSLv3  128 bits
> PSK-AES128-CBC-SHA Rejected  SSLv3  128 bits  ECDHE-RSA-RC4-SHA 
> Rejected  SSLv3  128 bits  ECDHE-ECDSA-RC4-SHA Rejected  SSLv3  128
> bits  AECDH-RC4-SHA Rejected  SSLv3  128 bits  ADH-RC4-MD5 Rejected
> SSLv3  128 bits  ECDH-RSA-RC4-SHA Rejected  SSLv3  128 bits
> ECDH-ECDSA-RC4-SHA Rejected  SSLv3  128 bits  RC4-SHA Rejected
> SSLv3  128 bits  RC4-MD5 Failed    SSLv3  128 bits  PSK-RC4-SHA 
> Rejected  SSLv3  56 bits   EDH-RSA-DES-CBC-SHA Rejected  SSLv3  56
> bits   EDH-DSS-DES-CBC-SHA Rejected  SSLv3  56 bits
> ADH-DES-CBC-SHA Rejected  SSLv3  56 bits   DES-CBC-SHA Rejected
> SSLv3  40 bits   EXP-EDH-RSA-DES-CBC-SHA Rejected  SSLv3  40 bits
> EXP-EDH-DSS-DES-CBC-SHA Rejected  SSLv3  40 bits
> EXP-ADH-DES-CBC-SHA Rejected  SSLv3  40 bits   EXP-DES-CBC-SHA 
> Rejected  SSLv3  40 bits   EXP-RC2-CBC-MD5 Rejected  SSLv3  40 bits
> EXP-ADH-RC4-MD5 Rejected  SSLv3  40 bits   EXP-RC4-MD5 Rejected
> SSLv3  0 bits    ECDHE-RSA-NULL-SHA Rejected  SSLv3  0 bits
> ECDHE-ECDSA-NULL-SHA Rejected  SSLv3  0 bits    AECDH-NULL-SHA 
> Rejected  SSLv3  0 bits    ECDH-RSA-NULL-SHA Rejected  SSLv3  0
> bits    ECDH-ECDSA-NULL-SHA Failed    SSLv3  0 bits    NULL-SHA256 
> Rejected  SSLv3  0 bits    NULL-SHA Rejected  SSLv3  0 bits
> NULL-MD5 Failed    TLSv1  256 bits  ECDHE-RSA-AES256-GCM-SHA384 
> Failed    TLSv1  256 bits  ECDHE-ECDSA-AES256-GCM-SHA384 Failed
> TLSv1  256 bits  ECDHE-RSA-AES256-SHA384 Failed    TLSv1  256 bits
> ECDHE-ECDSA-AES256-SHA384 Rejected  TLSv1  256 bits
> ECDHE-RSA-AES256-SHA Rejected  TLSv1  256 bits
> ECDHE-ECDSA-AES256-SHA Rejected  TLSv1  256 bits
> SRP-DSS-AES-256-CBC-SHA Rejected  TLSv1  256 bits
> SRP-RSA-AES-256-CBC-SHA Failed    TLSv1  256 bits
> DHE-DSS-AES256-GCM-SHA384 Failed    TLSv1  256 bits
> DHE-RSA-AES256-GCM-SHA384 Failed    TLSv1  256 bits
> DHE-RSA-AES256-SHA256 Failed    TLSv1  256 bits
> DHE-DSS-AES256-SHA256 Rejected  TLSv1  256 bits
> DHE-RSA-AES256-SHA Rejected  TLSv1  256 bits  DHE-DSS-AES256-SHA 
> Rejected  TLSv1  256 bits  DHE-RSA-CAMELLIA256-SHA Rejected  TLSv1
> 256 bits  DHE-DSS-CAMELLIA256-SHA Rejected  TLSv1  256 bits
> AECDH-AES256-SHA Rejected  TLSv1  256 bits  SRP-AES-256-CBC-SHA 
> Failed    TLSv1  256 bits  ADH-AES256-GCM-SHA384 Failed    TLSv1
> 256 bits  ADH-AES256-SHA256 Rejected  TLSv1  256 bits
> ADH-AES256-SHA Rejected  TLSv1  256 bits  ADH-CAMELLIA256-SHA 
> Failed    TLSv1  256 bits  ECDH-RSA-AES256-GCM-SHA384 Failed
> TLSv1  256 bits  ECDH-ECDSA-AES256-GCM-SHA384 Failed    TLSv1  256
> bits  ECDH-RSA-AES256-SHA384 Failed    TLSv1  256 bits
> ECDH-ECDSA-AES256-SHA384 Rejected  TLSv1  256 bits
> ECDH-RSA-AES256-SHA Rejected  TLSv1  256 bits
> ECDH-ECDSA-AES256-SHA Failed    TLSv1  256 bits  AES256-GCM-SHA384 
> Failed    TLSv1  256 bits  AES256-SHA256 Rejected  TLSv1  256 bits
> AES256-SHA Rejected  TLSv1  256 bits  CAMELLIA256-SHA Failed
> TLSv1  256 bits  PSK-AES256-CBC-SHA Rejected  TLSv1  168 bits
> ECDHE-RSA-DES-CBC3-SHA Rejected  TLSv1  168 bits
> ECDHE-ECDSA-DES-CBC3-SHA Rejected  TLSv1  168 bits
> SRP-DSS-3DES-EDE-CBC-SHA Rejected  TLSv1  168 bits
> SRP-RSA-3DES-EDE-CBC-SHA Rejected  TLSv1  168 bits
> EDH-RSA-DES-CBC3-SHA Rejected  TLSv1  168 bits
> EDH-DSS-DES-CBC3-SHA Rejected  TLSv1  168 bits  AECDH-DES-CBC3-SHA 
> Rejected  TLSv1  168 bits  SRP-3DES-EDE-CBC-SHA Rejected  TLSv1
> 168 bits  ADH-DES-CBC3-SHA Rejected  TLSv1  168 bits
> ECDH-RSA-DES-CBC3-SHA Rejected  TLSv1  168 bits
> ECDH-ECDSA-DES-CBC3-SHA Rejected  TLSv1  168 bits  DES-CBC3-SHA 
> Failed    TLSv1  168 bits  PSK-3DES-EDE-CBC-SHA Failed    TLSv1
> 128 bits  ECDHE-RSA-AES128-GCM-SHA256 Failed    TLSv1  128 bits
> ECDHE-ECDSA-AES128-GCM-SHA256 Failed    TLSv1  128 bits
> ECDHE-RSA-AES128-SHA256 Failed    TLSv1  128 bits
> ECDHE-ECDSA-AES128-SHA256 Rejected  TLSv1  128 bits
> ECDHE-RSA-AES128-SHA Rejected  TLSv1  128 bits
> ECDHE-ECDSA-AES128-SHA Rejected  TLSv1  128 bits
> SRP-DSS-AES-128-CBC-SHA Rejected  TLSv1  128 bits
> SRP-RSA-AES-128-CBC-SHA Failed    TLSv1  128 bits
> DHE-DSS-AES128-GCM-SHA256 Failed    TLSv1  128 bits
> DHE-RSA-AES128-GCM-SHA256 Failed    TLSv1  128 bits
> DHE-RSA-AES128-SHA256 Failed    TLSv1  128 bits
> DHE-DSS-AES128-SHA256 Rejected  TLSv1  128 bits
> DHE-RSA-AES128-SHA Rejected  TLSv1  128 bits  DHE-DSS-AES128-SHA 
> Rejected  TLSv1  128 bits  DHE-RSA-SEED-SHA Rejected  TLSv1  128
> bits  DHE-DSS-SEED-SHA Rejected  TLSv1  128 bits
> DHE-RSA-CAMELLIA128-SHA Rejected  TLSv1  128 bits
> DHE-DSS-CAMELLIA128-SHA Rejected  TLSv1  128 bits
> AECDH-AES128-SHA Rejected  TLSv1  128 bits  SRP-AES-128-CBC-SHA 
> Failed    TLSv1  128 bits  ADH-AES128-GCM-SHA256 Failed    TLSv1
> 128 bits  ADH-AES128-SHA256 Rejected  TLSv1  128 bits
> ADH-AES128-SHA Rejected  TLSv1  128 bits  ADH-SEED-SHA Rejected
> TLSv1  128 bits  ADH-CAMELLIA128-SHA Failed    TLSv1  128 bits
> ECDH-RSA-AES128-GCM-SHA256 Failed    TLSv1  128 bits
> ECDH-ECDSA-AES128-GCM-SHA256 Failed    TLSv1  128 bits
> ECDH-RSA-AES128-SHA256 Failed    TLSv1  128 bits
> ECDH-ECDSA-AES128-SHA256 Rejected  TLSv1  128 bits
> ECDH-RSA-AES128-SHA Rejected  TLSv1  128 bits
> ECDH-ECDSA-AES128-SHA Failed    TLSv1  128 bits  AES128-GCM-SHA256 
> Failed    TLSv1  128 bits  AES128-SHA256 Rejected  TLSv1  128 bits
> AES128-SHA Rejected  TLSv1  128 bits  SEED-SHA Rejected  TLSv1  128
> bits  CAMELLIA128-SHA Failed    TLSv1  128 bits
> PSK-AES128-CBC-SHA Rejected  TLSv1  128 bits  ECDHE-RSA-RC4-SHA 
> Rejected  TLSv1  128 bits  ECDHE-ECDSA-RC4-SHA Rejected  TLSv1  128
> bits  AECDH-RC4-SHA Rejected  TLSv1  128 bits  ADH-RC4-MD5 Rejected
> TLSv1  128 bits  ECDH-RSA-RC4-SHA Rejected  TLSv1  128 bits
> ECDH-ECDSA-RC4-SHA Rejected  TLSv1  128 bits  RC4-SHA Rejected
> TLSv1  128 bits  RC4-MD5 Failed    TLSv1  128 bits  PSK-RC4-SHA 
> Rejected  TLSv1  56 bits   EDH-RSA-DES-CBC-SHA Rejected  TLSv1  56
> bits   EDH-DSS-DES-CBC-SHA Rejected  TLSv1  56 bits
> ADH-DES-CBC-SHA Rejected  TLSv1  56 bits   DES-CBC-SHA Rejected
> TLSv1  40 bits   EXP-EDH-RSA-DES-CBC-SHA Rejected  TLSv1  40 bits
> EXP-EDH-DSS-DES-CBC-SHA Rejected  TLSv1  40 bits
> EXP-ADH-DES-CBC-SHA Rejected  TLSv1  40 bits   EXP-DES-CBC-SHA 
> Rejected  TLSv1  40 bits   EXP-RC2-CBC-MD5 Rejected  TLSv1  40 bits
> EXP-ADH-RC4-MD5 Rejected  TLSv1  40 bits   EXP-RC4-MD5 Rejected
> TLSv1  0 bits    ECDHE-RSA-NULL-SHA Rejected  TLSv1  0 bits
> ECDHE-ECDSA-NULL-SHA Rejected  TLSv1  0 bits    AECDH-NULL-SHA 
> Rejected  TLSv1  0 bits    ECDH-RSA-NULL-SHA Rejected  TLSv1  0
> bits    ECDH-ECDSA-NULL-SHA Failed    TLSv1  0 bits    NULL-SHA256 
> Rejected  TLSv1  0 bits    NULL-SHA Rejected  TLSv1  0 bits
> NULL-MD5
> 
> The cipher appears to be supported by both client (OpenSSL
> s_client) and server (Also using the same version of OpenSSL) but
> the handshake cannot complete.
> 
> Let's try another cipher. How about one that worked before: 
> DHE-RSA-AES256-SHA
> 
> 
> <Connector port="8218" 
> protocol="org.apache.coyote.http11.Http11AprProtocol" 
> SSLEnabled="true" secure="true" scheme="https" 
> SSLCipherSuite="DHE-RSA-AES256-SHA" SSLCertificateKeyFile="[...]" 
> SSLCertificateFile="[...]" SSLCertificateChainFile="[...]" 
> SSLProtocol="TLSv1" executor="tomcatThreadPool" URIEncoding="UTF-8"
> />
> 
> $ openssl c_client -connect myhost:8218 [...] SSL-Session: Protocol
> : TLSv1 Cipher    : DHE-RSA-AES256-SHA [...]
> 
> Works. Firefox 26 also works.
> 
> There must be some kind of problem with configuring 
> ECDHE-ECDSA-AES128-SHA256 specifically. Try another cipher?

Oh, I also tried this:

       <Connector port="8218"
               protocol="org.apache.coyote.http11.Http11AprProtocol"
               SSLEnabled="true"
               secure="true"
               scheme="https"
               SSLCertificateKeyFile="[...]"
               SSLCertificateFile="[...]"
               SSLCertificateChainFile="[...]"
               SSLProtocol="TLSv1"
               executor="tomcatThreadPool"
               URIEncoding="UTF-8" />

$ openssl s_client -connect myhost:8218 -cipher ECDHE-ECDSA-AES128-SHA256
CONNECTED(00000003)
140418231797416:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure:s23_clnt.c:741:

(Try some other cipher)
$ openssl s_client -connect myhost:8218 -cipher DHE-RSA-AES256-SHA

[...]
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
[...]

$ sslscan myhost:8218 | grep ECDHE-ECDSA
    Failed    SSLv3  256 bits  ECDHE-ECDSA-AES256-GCM-SHA384
    Failed    SSLv3  256 bits  ECDHE-ECDSA-AES256-SHA384
    Rejected  SSLv3  256 bits  ECDHE-ECDSA-AES256-SHA
    Rejected  SSLv3  168 bits  ECDHE-ECDSA-DES-CBC3-SHA
    Failed    SSLv3  128 bits  ECDHE-ECDSA-AES128-GCM-SHA256
    Failed    SSLv3  128 bits  ECDHE-ECDSA-AES128-SHA256
    Rejected  SSLv3  128 bits  ECDHE-ECDSA-AES128-SHA
    Rejected  SSLv3  128 bits  ECDHE-ECDSA-RC4-SHA
    Rejected  SSLv3  0 bits    ECDHE-ECDSA-NULL-SHA
    Failed    TLSv1  256 bits  ECDHE-ECDSA-AES256-GCM-SHA384
    Failed    TLSv1  256 bits  ECDHE-ECDSA-AES256-SHA384
    Rejected  TLSv1  256 bits  ECDHE-ECDSA-AES256-SHA
    Rejected  TLSv1  168 bits  ECDHE-ECDSA-DES-CBC3-SHA
    Failed    TLSv1  128 bits  ECDHE-ECDSA-AES128-GCM-SHA256
    Failed    TLSv1  128 bits  ECDHE-ECDSA-AES128-SHA256
    Rejected  TLSv1  128 bits  ECDHE-ECDSA-AES128-SHA
    Rejected  TLSv1  128 bits  ECDHE-ECDSA-RC4-SHA
    Rejected  TLSv1  0 bits    ECDHE-ECDSA-NULL-SHA

It looks like there is something wrong with the ECDHE-ECDSA suites. If
anything, this is an OpenSSL problem and not a Tomcat one: Tomcat
doesn't do anything with the crypto, here.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSyHqTAAoJEBzwKT+lPKRYn+UP/2NWRHf6kIinwnbic7IQ2EKR
097yrD4PO0P8HOn9I6vLV7SRYOXw0pJ7ysBMccyH3xSr8jsfgaLNqOA44Lkhi3SQ
pcjr+vtH5wsRljnZ/cYk/hTeDV6iZszNqdN/dRaxuXAYhOkilGcMw9onOGTnTC1e
/MOBTfaMn42VzApW/jlnynS4EkLxyF9M4l3yfky9nmtIaMS0Nrb+m+rDZIm22SJ3
z2ei6VsD1zgpLOnuwmOx8nurENNggOVAlmbiXI0GBLIDvHkrsTp2dOZzn0HM5Tea
1bx5Rz+jQu4BqombwsuqF4XKLyuURzz1JzFZQzZ+AuBny0VOEjOj4ib7Eo4t8+nM
Xd/iR7xNvMn4xRdsmHdxOpNJZJSgW33s9a6v0U4o3skIU50kHDXmKdP9qlt43V3n
RNDNCc8N3vgX7IivyDwhE9+VozCLuyCa6Sd7uteJlUH1urDcdvlWMPlnkwG4+sS8
WrBswUsp8FQpNJnWkZWgFu9lmsX57NDotAPrI8snH745D3JiCYRwb80H6ls3xLnC
Cv74vA8J8iyZ5pVuu/AgNmFZNvoc/Rvp0R/ZNvZVx8MsaBmO0KMvJGhFyCsnKiOz
h7zcQV4GT6SFOEMizbtyADicPcVH2LtBnjvktyogh8Sfq3g/d4WzooUWd5awIEO1
TncOiYG9S/aBjVZUBJXH
=PNIn
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

Reply via email to