Re: Problem: (GSKit) No compatible cipher suite available between SSL end points.

Wed, 04 Oct 2017 09:54:29 -0700 

I wrote:

I mean, I know that I need to get HTTPAPI and Tomcat speaking the
same language, but where do I begin?
Here's what I got back when I ran the SSLLabs server test on the cloud server: 


Protocols
TLS 1.3         No
TLS 1.2         Yes
TLS 1.1         Yes
TLS 1.0         Yes
SSL 3   No
SSL 2   No



Cipher Suites
# TLS 1.2 (server has no preference)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp521r1 (eq. 15360 bits 
RSA)   FS  128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH secp521r1 (eq. 15360 bits 
RSA)   FS       128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp521r1 (eq. 15360 bits 
RSA)   FS  256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH secp521r1 (eq. 15360 bits 
RSA)   FS       256
# TLS 1.1 (server has no preference)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp521r1 (eq. 15360 bits 
RSA)   FS  128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp521r1 (eq. 15360 bits 
RSA)   FS  256
# TLS 1.0 (server has no preference)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp521r1 (eq. 15360 bits 
RSA)   FS  128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp521r1 (eq. 15360 bits 
RSA)   FS  256



On the HTTPAPI/FTPAPI list, I was told that HTTPAPI uses the operating 
system's SSL support (which was how I thought it worked), and directed 
to look through the system values to see what it supports. What I found was:


QSSLPCL     *SEC     Secure sockets layer protocols
> *OPSYS

(which I'm pretty sure means that all OS-supported protocols are 
available; they can also be individually specified as any or all of 
*TLSV1, *SSLV3, and *SSLV2)


QSSLCSL     *SEC     Secure sockets layer cipher specification list

*RSA_AES_128_CBC_SHA
*RSA_RC4_128_SHA
*RSA_RC4_128_MD5
*RSA_AES_256_CBC_SHA
*RSA_3DES_EDE_CBC_SHA
*RSA_DES_CBC_SHA
*RSA_EXPORT_RC4_40_MD5
*RSA_EXPORT_RC2_CBC_40_MD5
*RSA_NULL_SHA
*RSA_NULL_MD5



and unfortunately, IBM doesn't backport new cipher suites to older OS 
releases.


--
JHHL

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to