Hello,
I have been working to setup Apache Tomcat 8.5.15 to establish a secure
connection to web applications on our server. However I have been having
difficulties setting up this functionality.
The most meaningful error we have been getting is from Firefox, "Unsupported
elliptic curve. Error code: SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE". We have
setup Tomcat to fully debug javax.net, and from these logs it appears that the
handshake is failing at the server or client key exchanges. Below is the output
after reaching the server key exchange:
ECDH ServerKeyExchange
Signature Algorithm SHA256withRSA
Server key: <key value>
*** ServerHelloDone
[write] MD5 and SHA1 hashes: len = 5073
<Large block of hex>
https-jsse-nio-8443-exec-3, WRITE: TLSv1.2 Handshake, length = 5073
[Raw write]: length = 5078
<Large block of hex>
https-jsse-nio-8443-exec-1, WRITE: TLSv1.2 Handshake, length = 5073
[Raw write]: length = 5078
<Large block of hex>
[Raw read]: length = 2
<small block of hex>
<Large block of hex>
https-jsse-nio-8443-exec-5, READ: TLSv1.2 Alert, length = 2
https-jsse-nio-8443-exec-5, RECV TLSv1.2 ALERT: fatal, illegal_parameter
https-jsse-nio-8443-exec-5, fatal: engine already closed. Rethrowing
javax.net.ssl.SSLException: Received fatal alert: illegal_parameter
https-jsse-nio-8443-exec-5, fatal: engine already closed. Rethrowing
javax.net.ssl.SSLException: Received fatal alert: illegal_parameter
https-jsse-nio-8443-exec-5, called closeOutbound()
https-jsse-nio-8443-exec-5, closeOutboundInternal()
https-jsse-nio-8443-exec-5, SEND TLSv1.2 ALERT: warning, description =
close_notify
https-jsse-nio-8443-exec-5, WRITE: TLSv1.2 Alert, length = 2
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
There isn't any error output from stderr, only standard print statements. The
ciphersuite that is chosen is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. Below are
some details about the machine we are running tomcat on:
Windows Server 2012 R2 64 bit
16gb ram
2.2ghz intel xeon cpu
Java 1.8.131
Here is the connector in our server.xml file:
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
defaultSSLHostConfigName="<hostname> "
>
<SSLHostConfig
hostname="<hostname> "
protocols="TLSv1.2"
sslProtocol="TLSv1.2">
<Certificate certificateKeystoreFile="<pfx cert location and full
file name>"
certificateKeystorePassword="<password>"
certificateKeystoreType="PKCS12"
type="RSA"/>
</SSLHostConfig>
</Connector>
Some additional notes:
1. The server we are running this on is internal and therefore can't be
accessed outside our network
2. The web browser on the machine is unable to access the web application
locally due to our network security
3. I am able to connect via http to the web apps
Any assistance that could be provided in this matter would be greatly
appreciated.
Thank you,
Kevin
________________________________
This e-mail transmission contains confidential information that is the property
of the sender. If you are not the intended recipient, you are notified that any
retention, disclosure, reproduction or distribution of the contents of this
e-mail transmission, or the taking of any action in reliance thereon or
pursuant thereto, is strictly prohibited. No warranty is given by NYSIF that
this e-mail is free of viruses, interception or interference. NYSIF disclaims
liability for any unauthorized opinion, representation, statement, offer or
contract made by the sender on behalf of NYSIF. NYSIF's delegation of
authorities, setting out who may make representations or contract on behalf of
NYSIF, is available by contacting NYSIF at mail...@nysif.com. Jurisdiction for
all actions arising out of dealings with NYSIF shall lie only in a court of
competent jurisdiction of the State of New York
