On Thu, Oct 12, 2017 at 9:17 AM, Igor Cicimov <icici...@gmail.com> wrote:
> On 12 Oct 2017 8:25 am, "Gali, Vamsi A" <vamsi_a_g...@keybank.com.invalid> > wrote: > > The debug log produced following & it's evident that handshake is failing > due to no ciphers suites in common. > > Allow unsafe renegotiation: false > Allow legacy hello messages: true > Is initial handshake: true > Is secure renegotiation: false > http-bio-xxxx-Acceptor-0, setSoTimeout(60000) called > Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 > for TLSv1 > Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 > for TLSv1 > Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 > for TLSv1 > Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 > for TLSv1 > Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 > for TLSv1 > Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 > for TLSv1 > Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 > for TLSv1.1 > Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 > for TLSv1.1 > Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 > for TLSv1.1 > Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 > for TLSv1.1 > Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 > for TLSv1.1 > Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 > for TLSv1.1 > http-bio-xxxx-exec-2, READ: TLSv1.2 Handshake, length = 57 > *** ClientHello, TLSv1.2 > RandomCookie: GMT: -2042962343 <(204)%20296-2343> bytes = { 199, 95, 13, > 144, 113, 194, 145, 53, 176, 117, 165, 93, 196, 76, 17, 104, 214, 95, 96, > 238, 97, 6, 240, 239, 53, 188, 180, 41 } > Session ID: {} > Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, Unknown 0x56:0x0, > SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, > TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, > SSL_RSA_WITH_RC4_128_MD5] > Compression Methods: { 0 } > *** > %% Initialized: [Session-13, SSL_NULL_WITH_NULL_NULL] > %% Invalidated: [Session-13, SSL_NULL_WITH_NULL_NULL] > http-bio-xxxx-exec-2, SEND TLSv1.2 ALERT: fatal, description = > handshake_failure > http-bio-xxxx-exec-2, WRITE: TLSv1.2 Alert, length = 2 > http-bio-xxxx-exec-2, called closeSocket() > > > > http-bio-xxxx-exec-2, handling exception: javax.net.ssl.SSLHandshakeException: > no cipher suites in common > http-bio-xxxx-exec-2, IOException in getSession(): > javax.net.ssl.SSLHandshakeException: no cipher suites in common > > > There you go, no comment needed. > > Also, since you are using JSSE in your tomcat connector, you never mentioned the Java version you are using? From the logs looks like IHS offers TLSv1.2 ciphers but tomcat does not support them so maybe you are running an outdated version of Java, maybe 1.6? There some tools out there you can use to find the default SSL/TLS cipher suits that JVM will use (and I think I've seen one from Christopher Schultz). The tool should provide you with output like this: $ java Ciphers Default Cipher SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA * SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA * SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_DES_CBC_SHA SSL_RSA_EXPORT_WITH_DES40_CBC_SHA * SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_NULL_MD5 SSL_RSA_WITH_NULL_SHA * TLS_DHE_DSS_WITH_AES_128_CBC_SHA * TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 * TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 * TLS_DHE_RSA_WITH_AES_128_CBC_SHA * TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 * TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DH_anon_WITH_AES_128_CBC_SHA TLS_DH_anon_WITH_AES_128_CBC_SHA256 TLS_DH_anon_WITH_AES_128_GCM_SHA256 ... then pick up one of the supported default ciphers (marked with star) and use it in IHS (as it is or translated in IHS way, no idea about that) so you get a match. I know nothing about IHS so can't help there. If that doesn't work then I would say IHS does some funky stuff with the cipher suites in a way that tomcat can't understand them. Igor