On 01/21/2015 11:26 AM, Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Matt,
On 1/21/15 11:13 AM, Matthew Mah wrote:
On 01/20/2015 10:08 AM, Christopher Schultz wrote: Matthew,
On 1/18/15 1:54 PM, Matthew Mah wrote:
I have setup a Tomcat server using spring-boot with SSL/TLS
for secure websockets.
Tomcat version? JVM version? Any relevant configuration?
Tomcat 8.0.15. multiple JVM: java version "1.7.0_55" OpenJDK
Runtime Environment java version "1.7.0_65" OpenJDK Runtime
Environment java version "1.7.0_71" OpenJDK Runtime Environment
I have tried the default ciphers, as well as:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA is listed as both supported
and enabled for Android API 11+
http://developer.android.com/reference/javax/net/ssl/SSLSocket.html
I would prefer a stronger cipher suite (not SHA1), but right now
I am looking for anything that works.
This works for Android 4.4, iOS, Firefox, and Chrome
clients. Android 5.0 clients (Nexus 5) fail the SSL
handshake.
What protocol and ciphers are those working browsers using?
Chrome: TLS 1.2 ECDHE RSA AES 128 CBC SHA1 Firefox: TLS v? ECDHE
RSA AES 128 CBC SHA1
Check the archives for a somewhat recent post by me including code
to scan an SSL server for the protocols and ciphers it supports.
That's a great tool you've written. Using the shortlist of cipher
suites on Tomcat above, this is supported: Accepted TLSv1
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1
TLS_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1
TLS_DHE_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1.1
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1.1
TLS_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1.1
TLS_DHE_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1.2
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1.2
TLS_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1.2
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
Cool. Is that the whole list? It's not many: just 3 different ciphers
for each of 3 protocols. It's possible there simply isn't any match
between what Android 5.0 can do and what you have available.
Yes, that's currently the whole list. I tried the default cipher suites
first and when they did not work, I tried to slim down the list so that
the openssl s_client would negotiate a cipher suite on the supported
Android list.
- From your SO posting, I can see you claim that
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA is documented to be available in
Android's SSL/TLS API, so I'd be surprised if it didn't connect.
I wonder if this is a problem with the handshake only?
I suspect there is a problem with Android 5's handshake. I've opened an
Android bug report:
https://code.google.com/p/android/issues/detail?id=103251
If someone on the list had responded that they do have Android 5
connecting a websocket to Tomcat, it would probably be a configuration
problem on my Tomcat server.
What does your <Connector> configuration look like?
I am using spring-boot 1.2.1, and I don't have that set explicitly. The
configuration I do have is the spring boot application.properties:
server.ssl.key-store = mind7.cs.umd.edu.chained.p12
server.ssl.key-store-password = secret
server.ssl.key-store-type = PKCS12
Otherwise the configuration is the default for spring-boot.
Perhaps you have to re-enable the SSLv2hello protocol. (Note that this
does not allow SSLv2 or SSLv3 to be used as the protocol... only to
start the handshake using the old protocol).
I will look into this for spring boot. Thanks.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUv9NEAAoJEBzwKT+lPKRY7QwQAJOJUhBJT4F7jzuT44+vp3oF
2qd+cJLcNtF0Q6u+eyjrWLtvih+AlkxkXvEl9ezOqD5KEwnv0OHk+UDXO6NNu9ha
f+X/dXWIr6+WBX9+GAF83b3G4+ZT6VqyYLjj1ydUkx5LIW6JHDbDbXbtt0OGCzN+
q98e0NKOFs2jcw0fudWWtQj1pg7VIMH5eviTdjMWSQursK1MC5n6Byreq0a1KqaP
uxbmFI9NgnD9YFm+FCZeDz2Bwj76oHBYdB01TvqDFvvkihepz7SlqsuSLqBOO3Ev
s3yIuq6WFIcZUjmqBmrX4aR35DsOzDTS6XRXLuS2vxKn8/WEoclezRmPlqU++f7I
qy7EBZEe6wkCTxGtd13/3YbXHhfixvjwplh6127gmLQtfYRF40N++7ZTIAUejLBK
bLoeB12NGbFOsPjrSXXcYb0Bj9oz9OKYYCFLL7tgLfBFgtZfh8g8xQuu8DTBs+Ue
4qXDvYDuEq1o4xlgTtQClUq2YG8dKq30U4LMW3K8e7bZFZw7yof2GW2IatWHaljj
RcIM9kUxXYrUC3ak4oLJ03xRCqpu6xoouAGr/WVfT182el+CVIJM93llvxA3ULRb
AeyF8J+svDiEBeZ4TNmuIp4LVbjBBYlOy7rG3SswHYHUw5KWjzQNNUlN63S1IvL5
gEfezVm/77xilOEMPp9+
=5tO3
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org