On Thu, Oct 12, 2017 at 9:17 AM, Igor Cicimov <icici...@gmail.com> wrote:
> On 12 Oct 2017 8:25 am, "Gali, Vamsi A" <vamsi_a_g...@keybank.com.invalid>
> wrote:
>
> The debug log produced following & it's evident that handshake is failing
> due to no ciphers suites in common.
>
> Allow unsafe renegotiation: false
> Allow legacy hello messages: true
> Is initial handshake: true
> Is secure renegotiation: false
> http-bio-xxxx-Acceptor-0, setSoTimeout(60000) called
> Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
> for TLSv1
> Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
> for TLSv1
> Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
> for TLSv1.1
> Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
> for TLSv1.1
> http-bio-xxxx-exec-2, READ: TLSv1.2 Handshake, length = 57
> *** ClientHello, TLSv1.2
> RandomCookie: GMT: -2042962343 <(204)%20296-2343> bytes = { 199, 95, 13,
> 144, 113, 194, 145, 53, 176, 117, 165, 93, 196, 76, 17, 104, 214, 95, 96,
> 238, 97, 6, 240, 239, 53, 188, 180, 41 }
> Session ID: {}
> Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, Unknown 0x56:0x0,
> SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
> TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
> SSL_RSA_WITH_RC4_128_MD5]
> Compression Methods: { 0 }
> ***
> %% Initialized: [Session-13, SSL_NULL_WITH_NULL_NULL]
> %% Invalidated: [Session-13, SSL_NULL_WITH_NULL_NULL]
> http-bio-xxxx-exec-2, SEND TLSv1.2 ALERT: fatal, description =
> handshake_failure
> http-bio-xxxx-exec-2, WRITE: TLSv1.2 Alert, length = 2
> http-bio-xxxx-exec-2, called closeSocket()
>
>
>
> http-bio-xxxx-exec-2, handling exception: javax.net.ssl.SSLHandshakeException:
> no cipher suites in common
> http-bio-xxxx-exec-2, IOException in getSession():
> javax.net.ssl.SSLHandshakeException: no cipher suites in common
>
>
> There you go, no comment needed.
>
> Also, since you are using JSSE in your tomcat connector, you never
mentioned the Java version you are using? From the logs looks like IHS
offers TLSv1.2 ciphers but tomcat does not support them so maybe you are
running an outdated version of Java, maybe 1.6?
There some tools out there you can use to find the default SSL/TLS cipher
suits that JVM will use (and I think I've seen one from Christopher
Schultz). The tool should provide you with output like this:
$ java Ciphers
Default Cipher
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
* SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
* SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
* SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_WITH_NULL_MD5
SSL_RSA_WITH_NULL_SHA
* TLS_DHE_DSS_WITH_AES_128_CBC_SHA
* TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
* TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
* TLS_DHE_RSA_WITH_AES_128_CBC_SHA
* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DH_anon_WITH_AES_128_CBC_SHA
TLS_DH_anon_WITH_AES_128_CBC_SHA256
TLS_DH_anon_WITH_AES_128_GCM_SHA256
...
then pick up one of the supported default ciphers (marked with star) and
use it in IHS (as it is or translated in IHS way, no idea about that) so
you get a match. I know nothing about IHS so can't help there.
If that doesn't work then I would say IHS does some funky stuff with the
cipher suites in a way that tomcat can't understand them.
Igor
