-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Edward,
On 10/7/14 2:35 PM, Brewer, Edward L wrote: > Oh... Here is the entry in our server.xml (probably the most > important part) > > <Connector port="<Omitted>" address="<Omitted>" > protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" > scheme="https" secure="true" clientAuth="false" > ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA" > > keyAlias="<omitted>" > keystoreFile="/app001/shibboleth/idp/epass/current/credentials/idp.jks" > > keystorePass="<omitted>" /> So you are using JSSE and haven't specified an sslProtocol, so you are getting the default which is TLS (which, for Java, really means SSLv3, TLSv1, TLSv1.1, and TLSv1.2). You are specifying a very small number of cipher suites (only 3) so perhaps that's the problem. Note that all your cipher suites start with SSL_* and none with TLS_*. That's not in itself a problem, but you are restricting your server to using old cipher suites and not allowing new ones. You can find code in the archives to pull the list of supported and enabled-by-default cipher suites for your JVM. What happens if you lift the restriction on the ciphers list so that JSSE will use its default set? > Here is the error that I see from curl > > curl: (52) SSL read: error:00000000:lib(0):func(0):reason(0), errno > 104 Try using "openssl s_client" -- it gives much more information about the connection. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUR7P4AAoJEBzwKT+lPKRY1SEP/1A+8i4Td8xD0xOcUe+P8oBK wA6yjoo76MUqj4Nei0ZghXmzsrIUss/RsuazmLTJFTnJcEg3GThmjh1uKlHloUBR 2dFg6FhUDn4v+7P2sQiDuwtEd9oDx6aFA5j/DxSFCclnR7jq66vU0lxTjFdgd3jw /G0dlF+iBnvBVEM2hojZAbv30qoIsxPAHXdsf7T13vcUQ/bVywmbqUPtoSR8hWzh Mg+B+y7MEYJSUzeZf4JOqHuCe3nLHxOV7XNF7Mw5sZZ8DOvoay+tNU8mmeXmnHY0 zJe/4TICGz6BPYKaZNELwv8PiLZZ76mnu+c9I3Bcv3ZBC6D8p+yISA01apYOujgv 0Mfo9ilm/3E9dORHCX4497FyKLq6KjX3dPnlLD2G0YC7qRU6o1iA8pjFkbt38UgU CeE8AMxu4sgQAyQVXkVlfs9T72JJmUdd3y+Jm5/WUreZoiTjS0gCEhwue9rUDOSo B6wf7V971IlKQbbxMhpiqbf/2TsoS15REPviepsqCHXWVHxoOT/5etTN9V8vP2G6 fxeI4GaBIulGld+tNeVnR1Izi8sHz1GPYbGfD2zhwC1Br18MxiBdEtYQQI++LcTh S2JdWtWmJBzgk/uHPB9Lm8oBwYplQYIHUPrF9XO3WJVBuThdeCDf9l5xfefSJktM 7aOx60/EkV878XIK/8Pm =YDwk -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
