if you remove the entire ciphers attribute from the server.xml then by default ssl/TLS session pick the best available cipher from the ssl/tls handshake version.
On Wed, Aug 5, 2015 at 4:10 PM, Nikitha Benny <nikki.be...@gmail.com> wrote: > Hi Sanaullah, > > That is because we have removed the entire "ciphers" attribute from the > server.xml file. > But that should be fine as the non complaint FIPS also has the "cipher" > attribute removed and it shows the similar client to server conection and > runs fine. > > Regards, > Nikitha > > On Wed, Aug 5, 2015 at 4:28 PM, Sanaullah <sanaulla...@gmail.com> wrote: > > > run this command with debugging prints. > > > > openssl s_client -connect 16.183.93.84:8444 -debug -msg > > > > > Protocol : *TLSv1.2* > > > Cipher : 0000 > > it seems something broken as there is no Cipher > > > > Regards, > > Sanaullah > > > > > > > > On Wed, Aug 5, 2015 at 3:52 PM, Nikitha Benny <nikki.be...@gmail.com> > > wrote: > > > > > Hi Mark, Sanaullah, > > > > > > Thank you for your valuable suggestion. > > > > > > I just ran the openssl s_client scan, and it looks like the server side > > is > > > running fine on *TLSv1.2* Protocol. > > > > > > [root]## *openssl s_client -connect 16.183.93.84:8444 > > > <http://16.183.93.84:8444>* > > > CONNECTED(00000003) > > > - - - - - - - > > > - - - - - - - > > > - - - - - - - > > > - - - - - - - > > > > > > 9ICKPG6kxtrZMUUnb/RgYH0FEqAWxvAbj08ZtJXHoGyRAmFcLKUtQBw8wifqXjYP > > > dok1aLR6ZwG+iD+urs1SLFyUmENSywwZtrKpgorQR+LRtC77E3gyNSmJP+i02SpC > > > Dwt/kR6w4FmSD+k3+RJik2+SabfTbE1F2Iho/XLFyU0SwKEhi54pdYohuuEfFwnU > > > d/A4 > > > -----END CERTIFICATE----- > > > subject=/C=US/ST=California/L=Palo > Alto/O=Hewlett-Packard/OU=OpenView/CN= > > > IWFVM01284.hpswlabs.adapps.hp.com > > > issuer=/C=US/ST=California/L=Palo > Alto/O=Hewlett-Packard/OU=OpenView/CN= > > > IWFVM01284.hpswlabs.adapps.hp.com > > > --- > > > No client certificate CA names sent > > > --- > > > SSL handshake has read 1476 bytes and written 7 bytes > > > --- > > > New, (NONE), Cipher is (NONE) > > > Server public key is 2048 bit > > > Secure Renegotiation IS supported > > > Compression: NONE > > > Expansion: NONE > > > SSL-Session: > > > Protocol : *TLSv1.2* > > > Cipher : 0000 > > > Session-ID: > > > 55C1E8659A3AEABEA2844E153BB8BF666936B6EC38C5777B60202AF0712E5377 > > > Session-ID-ctx: > > > Master-Key: > > > Key-Arg : None > > > Krb5 Principal: None > > > PSK identity: None > > > PSK identity hint: None > > > Start Time: 1438771286 > > > Timeout : 300 (sec) > > > Verify return code: 18 (self signed certificate) > > > > > > So could it be an issue with the browser? > > > Since the browser is not FIPS compliant, could it be the reason for the > > > issue? > > > > > > > > > Regards, > > > Nikitha > > > > > > On Wed, Aug 5, 2015 at 3:24 PM, Sanaullah <sanaulla...@gmail.com> > wrote: > > > > > > > Hi Nikhita, > > > > > > > > run the sslscan tool from the command line or openssl s_client in > debug > > > > mode > > > > https://github.com/rbsec/sslscan > > > > > > > > Regards, > > > > Sanaullah > > > > > > > > On Wed, Aug 5, 2015 at 2:23 PM, Nikitha Benny <nikki.be...@gmail.com > > > > > > wrote: > > > > > > > > > Hi Mark, > > > > > > > > > > My server is not on a public domain. > > > > > How can i verify the setup which is on a private network? > > > > > > > > > > Regards, > > > > > Nikitha > > > > > > > > > > On Wed, Aug 5, 2015 at 2:14 PM, Mark Thomas <ma...@apache.org> > > wrote: > > > > > > > > > > > On 05/08/2015 07:32, Nikitha Benny wrote: > > > > > > > Hi Mark, > > > > > > > > > > > > > > When I try to run Tomcat on the https server port: > > > > > > > > > > > > > > *https://<ip address>:8444/* > > > > > > > > > > > > > > It says as below: > > > > > > > ---------- > > > > > > > > > > > > > > *SSL connection error* > > > > > > > > > > > > > > *ERR_SSL_PROTOCOL_ERROR* > > > > > > > > > > > > > > *Unable to make a secure connection to the server. This may be > a > > > > > problem > > > > > > > with the server, or it may be requiring a client authentication > > > > > > certificate > > > > > > > that you don't have* > > > > > > > *------------* > > > > > > > > > > > > That is the client side. What about server side logs? > > > > > > > > > > > > > We have set the client authentication to False, so it does not > > need > > > > any > > > > > > > client authorized certificate. > > > > > > > > > > > > I recommend you run https://www.ssllabs.com/ssltest/ against > your > > > > > > server. That will tell you if you have a server side issue, a > > client > > > > > > side issue or simply a mismatch between the two. > > > > > > > > > > > > Mark > > > > > > > > > > > > > > > > > > > > Regards, > > > > > > > Nikitha > > > > > > > > > > > > > > On Wed, Aug 5, 2015 at 10:07 AM, Nikitha Benny < > > > > nikki.be...@gmail.com> > > > > > > > wrote: > > > > > > > > > > > > > >>> But still Tomcat does not run on the https port. > > > > > > >> > > > > > > >> As in, when we run Tomcat on the https server port it does not > > > > display > > > > > > the > > > > > > >> page. > > > > > > >> Where as it goes through fine on the http port. The url opens. > > > > > > >> > > > > > > >> > > > > > > >> > > > > > > >> On Tue, Aug 4, 2015 at 6:18 PM, Mark Thomas <ma...@apache.org > > > > > > wrote: > > > > > > >> > > > > > > >>> On 04/08/2015 13:19, Nikitha Benny wrote: > > > > > > >>>> Hello Mark, > > > > > > >>>> > > > > > > >>>> Thanks for your valuable suggestion. > > > > > > >>>> > > > > > > >>>> We were successful in creating the pkcs12 keystore which > picks > > > up > > > > > > >>> SHA256 as > > > > > > >>>> shown below: > > > > > > >>> > > > > > > >>> <snip/> > > > > > > >>> > > > > > > >>>> But still Tomcat does not run on the https port. > > > > > > >>> > > > > > > >>> Define "does not run". > > > > > > >>> > > > > > > >>>> Any clue as to why this happens? > > > > > > >>> > > > > > > >>> Based on the information provided so far, no. > > > > > > >>> > > > > > > >>>> The protocol I am using is* > > > > > > "org.apache.coyote.http11.Http11Protocol".* > > > > > > >>> > > > > > > >>> OK. That is the HTTP BIO connector. > > > > > > >>> > > > > > > >>>> Could it be because I am not using an APR connector > protocol? > > > > > > >>> > > > > > > >>> No. > > > > > > >>> > > > > > > >>> Mark > > > > > > >>> > > > > > > >>> > > > > > > >>> > > > > --------------------------------------------------------------------- > > > > > > >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > > > > > >>> For additional commands, e-mail: > users-h...@tomcat.apache.org > > > > > > >>> > > > > > > >>> > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > > > > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > > > > > > > > > > > > > > > > > > > > > >