-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Matt,
On 1/21/15 2:16 PM, Matthew Mah wrote: > On 01/21/2015 11:26 AM, Christopher Schultz wrote: Matt, > > On 1/21/15 11:13 AM, Matthew Mah wrote: >>>> On 01/20/2015 10:08 AM, Christopher Schultz wrote: Matthew, >>>> >>>> On 1/18/15 1:54 PM, Matthew Mah wrote: >>>>>>> I have setup a Tomcat server using spring-boot with >>>>>>> SSL/TLS for secure websockets. >>>> Tomcat version? JVM version? Any relevant configuration? >>>>> Tomcat 8.0.15. multiple JVM: java version "1.7.0_55" >>>>> OpenJDK Runtime Environment java version "1.7.0_65" OpenJDK >>>>> Runtime Environment java version "1.7.0_71" OpenJDK Runtime >>>>> Environment I have tried the default ciphers, as well as: >>>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA >>>>> TLS_RSA_WITH_AES_128_CBC_SHA >>>>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA >>>>> TLS_DHE_DSS_WITH_AES_128_CBC_SHA >>>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA is listed as both >>>>> supported and enabled for Android API 11+ >>>>> http://developer.android.com/reference/javax/net/ssl/SSLSocket.html >>>>> >>>>> I would prefer a stronger cipher suite (not SHA1), but right now >>>>> I am looking for anything that works. >>>> >>>>>>> This works for Android 4.4, iOS, Firefox, and Chrome >>>>>>> clients. Android 5.0 clients (Nexus 5) fail the SSL >>>>>>> handshake. >>>> What protocol and ciphers are those working browsers using? >>>>> Chrome: TLS 1.2 ECDHE RSA AES 128 CBC SHA1 Firefox: TLS v? >>>>> ECDHE RSA AES 128 CBC SHA1 >>>> Check the archives for a somewhat recent post by me including >>>> code to scan an SSL server for the protocols and ciphers it >>>> supports. >>>>> That's a great tool you've written. Using the shortlist of >>>>> cipher suites on Tomcat above, this is supported: Accepted >>>>> TLSv1 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1 >>>>> TLS_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1 >>>>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1.1 >>>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1.1 >>>>> TLS_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1.1 >>>>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1.2 >>>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1.2 >>>>> TLS_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1.2 >>>>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA > > Cool. Is that the whole list? It's not many: just 3 different > ciphers for each of 3 protocols. It's possible there simply isn't > any match between what Android 5.0 can do and what you have > available. >> Yes, that's currently the whole list. I tried the default cipher >> suites first and when they did not work, I tried to slim down the >> list so that the openssl s_client would negotiate a cipher suite >> on the supported Android list. > > - From your SO posting, I can see you claim that > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA is documented to be available > in Android's SSL/TLS API, so I'd be surprised if it didn't > connect. > > I wonder if this is a problem with the handshake only? >> I suspect there is a problem with Android 5's handshake. I've >> opened an Android bug report: >> https://code.google.com/p/android/issues/detail?id=103251 > >> If someone on the list had responded that they do have Android 5 >> connecting a websocket to Tomcat, it would probably be a >> configuration problem on my Tomcat server. Have you tried a plain-old HTTPS connection? No Websocket? - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUwAsOAAoJEBzwKT+lPKRYoVgP/i+UvdtYuNWdWGbu9q4+p2Sm cNgqAuXiZOZxUP90dfylCMb/cDFqLsGKDiXnNAIuQhH+NLuZmsvN9ZrtCcnRpkaa KBaZK48znvljmOjGL0Hcgfqu4HpMaF3x9OxiS2wLKf7Q6nWkzzolxQKTl2dVwd++ CDh/Ip2Jd6JRKG8VLnVOBSjtnCcOKAtsD5RQTRCXux2ZuOFAT7dWD1W946C9I1bu 8RY7gyJSmz9K5V6XemBEVfCBnDxNZeWRIBx5NxO5BqFUvfA0z5q2q5I1aITNPyjO wf78S5XQCz01WaCZGQThhPlJd0cDPT7K7xGSxqoKCAz2rYRiQvg8EWsRlwEqo25m g+w6iLqBsu3RoBwrkjrPf9FDbdXUsx+a19cMHjUTx+8WMzCPVS8uypzNj2CioTX6 Ywjy9KNrzoa5qh2UAWkvvBhDZOkJHnM0+pKbPgUfV+GaPcw7H8ZYGCkIPGHtcR3T ryNsckNmaQhB7xq1lQVZK2eVdsLuXn4Rrl3RFPztWdylq2vp6d5tQh4o4rVtFb2M vFUTdMtqPo2q29qznFzkBh608CwRapNxZ8sHfaQOBpgqNkbs7dFuvz0r0DYgUQ9D 3ZbohAZ7aE7EUx+I0aGrPmh9r9fKpLtemfwKZOnMnkQiXgN3EXKidWpIi3IIfkv6 zG7c34Nf0TAz/3EWL56H =X7Oz -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org