On 05/10/17 18:52, James H. H. Lampert wrote: > This just keeps getting weirder. > > Late yesterday afternoon, I did a lengthy "stare-and-compare" between > what SSLInfo returned for the two different Tomcat servers, and I > couldn't find any differences. But then, I got called away from this on > something that kept me in the office until after 7 PM. > > Finally getting back to it, I looked at the "connector ciphers" on the > Tomcat 8 manager (there isn't one on the Tomcat 7 manager), and saw that > only 16 of the 36 ciphers that SSLInfo starred as "default" are actually > enabled in Tomcat.
It might help to think of it like this: There are the ciphers that a JVM supports. The JVM only enables sub-set of the supported ciphers are enabled by default. Tomcat with a default configuration only uses a sub-set of the ciphers that the JVM enables by default. This is a little dated but might help: https://wiki.apache.org/tomcat/Security/Ciphers > Then, using what Mr. Schultz told me about reading cipher names, I > compared what actually *does* come up in the Tomcat 8 manager with the > DSPSYSVAL on the AS/400. And I found that if >> *RSA_AES_256_CBC_SHA > is the same as >> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA > > then maybe we DO have a common cipher, at least in theory (unless > "ECDHE" makes it otherwise). ECDHE makes them different. > Unfortunately, I can't run the local box's Tomcat server through > SSLLabs, because it's on a nonstandard port number, and Tomcat 7 doesn't > have a "connector ciphers" button on the manager main page. > > The cloud box is a Google Compute Engine instance. Is it possible that > Google is somehow vetoing the handshake? It looks like you have an incompatible set of ciphers configured. As per Chris's previous email, it looks like RSA_AES_256_CBC_SHA is the least worse option. The Java name for this is: TLS_RSA_WITH_AES_256_CBC_SHA Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org