Re: SSL problems with Tomcat 7.0.69

Wed, 22 Jun 2016 12:44:08 -0700 

Mark,

Thanks for the hint!  I added the following line to my connector and it did the 
trick!

ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, 
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, 
TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, 
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256"

Cheers,
James

On 6/22/16, 9:55 AM, "Mark Thomas" <ma...@apache.org> wrote:

On 22/06/2016 16:47, James Wiley wrote:
> Hi Tomcat Users,
> 
> Has anyone run into any issues supporting SSL using the JSSE Connector when 
> upgrading from 7.0.68 to 7.0.69?
> 
> I help maintain a web application that uses tomcat7.  A recent upgrade from 
> 7.0.68 to 7.0.69 has caused the tomcat7 instance to throw an “Error during 
> SSL Handshake” with the Apache proxy server.  The tomcat instance is running 
> in AWS using a Amazon Linux image (very similar to CentOS) using JDK 1.7.  
> Also, it is proxied by an Apache HTTP server, version 2.2.31.
> 
> I’ve gone through the SSL documentation a
nd updated the settings without any luck.  This instance is configured to use 
the JSSE Connector.  The following configuration settings work fine under 
7.0.68, but break under 7.0.69:
> 
> <Connector port="8443"
>                protocol="org.apache.coyote.http11.Http11Protocol"
>                SSLEnabled="true"
>                maxThreads="150"
>                scheme="https" secure="true"
>                clientAuth="false" sslProtocol="TLS" 
> sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
>                keystoreFile="<some path to a keystore>"
>                keystorePass="<some keystore password>" />

I suspect the more restricted cipher list is the root cause. You can use
the Manager app or JMX to see which ciphers are enabled for a connector.
Compare the results for 7.0.68 and 7.0.69 along with what httpd supports
and adjust accordingly.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to