-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Matt,
On 1/21/15 11:13 AM, Matthew Mah wrote: > On 01/20/2015 10:08 AM, Christopher Schultz wrote: Matthew, > > On 1/18/15 1:54 PM, Matthew Mah wrote: >>>> I have setup a Tomcat server using spring-boot with SSL/TLS >>>> for secure websockets. > Tomcat version? JVM version? Any relevant configuration? >> Tomcat 8.0.15. multiple JVM: java version "1.7.0_55" OpenJDK >> Runtime Environment java version "1.7.0_65" OpenJDK Runtime >> Environment java version "1.7.0_71" OpenJDK Runtime Environment > >> I have tried the default ciphers, as well as: >> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA >> TLS_DHE_RSA_WITH_AES_128_CBC_SHA >> TLS_DHE_DSS_WITH_AES_128_CBC_SHA > >> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA is listed as both supported >> and enabled for Android API 11+ >> http://developer.android.com/reference/javax/net/ssl/SSLSocket.html > >> I would prefer a stronger cipher suite (not SHA1), but right now >> I am looking for anything that works. > > >>>> This works for Android 4.4, iOS, Firefox, and Chrome >>>> clients. Android 5.0 clients (Nexus 5) fail the SSL >>>> handshake. > What protocol and ciphers are those working browsers using? >> Chrome: TLS 1.2 ECDHE RSA AES 128 CBC SHA1 Firefox: TLS v? ECDHE >> RSA AES 128 CBC SHA1 > > Check the archives for a somewhat recent post by me including code > to scan an SSL server for the protocols and ciphers it supports. >> That's a great tool you've written. Using the shortlist of cipher >> suites on Tomcat above, this is supported: Accepted TLSv1 >> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1 >> TLS_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1 >> TLS_DHE_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1.1 >> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1.1 >> TLS_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1.1 >> TLS_DHE_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1.2 >> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1.2 >> TLS_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1.2 >> TLS_DHE_RSA_WITH_AES_128_CBC_SHA Cool. Is that the whole list? It's not many: just 3 different ciphers for each of 3 protocols. It's possible there simply isn't any match between what Android 5.0 can do and what you have available. - From your SO posting, I can see you claim that TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA is documented to be available in Android's SSL/TLS API, so I'd be surprised if it didn't connect. I wonder if this is a problem with the handshake only? What does your <Connector> configuration look like? Perhaps you have to re-enable the SSLv2hello protocol. (Note that this does not allow SSLv2 or SSLv3 to be used as the protocol... only to start the handshake using the old protocol). - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUv9NEAAoJEBzwKT+lPKRY7QwQAJOJUhBJT4F7jzuT44+vp3oF 2qd+cJLcNtF0Q6u+eyjrWLtvih+AlkxkXvEl9ezOqD5KEwnv0OHk+UDXO6NNu9ha f+X/dXWIr6+WBX9+GAF83b3G4+ZT6VqyYLjj1ydUkx5LIW6JHDbDbXbtt0OGCzN+ q98e0NKOFs2jcw0fudWWtQj1pg7VIMH5eviTdjMWSQursK1MC5n6Byreq0a1KqaP uxbmFI9NgnD9YFm+FCZeDz2Bwj76oHBYdB01TvqDFvvkihepz7SlqsuSLqBOO3Ev s3yIuq6WFIcZUjmqBmrX4aR35DsOzDTS6XRXLuS2vxKn8/WEoclezRmPlqU++f7I qy7EBZEe6wkCTxGtd13/3YbXHhfixvjwplh6127gmLQtfYRF40N++7ZTIAUejLBK bLoeB12NGbFOsPjrSXXcYb0Bj9oz9OKYYCFLL7tgLfBFgtZfh8g8xQuu8DTBs+Ue 4qXDvYDuEq1o4xlgTtQClUq2YG8dKq30U4LMW3K8e7bZFZw7yof2GW2IatWHaljj RcIM9kUxXYrUC3ak4oLJ03xRCqpu6xoouAGr/WVfT182el+CVIJM93llvxA3ULRb AeyF8J+svDiEBeZ4TNmuIp4LVbjBBYlOy7rG3SswHYHUw5KWjzQNNUlN63S1IvL5 gEfezVm/77xilOEMPp9+ =5tO3 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org