-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Harish,
On 10/12/17 10:55 AM, Harish Krishnan wrote: > Thank you all for the help and responses. We figured out what the > problem was. What I did was correct in terms of the attribute > setting, the tomcat version used and the JRE version used. However, > I did not realize our JRE is running in FIPs mode using RSA BSAFE > as the crypto provider. FIPS strikes again! In this case, it's not really FIPS's fault, it's RSA's BSAFE. Anyone using RSA's BSAFE these days ought to lose their job. Plow that thing under with salt and use a trusted crypto provider (lol, Oracle, I guess) . > When I tested and ran under standard JRE, then the server cipher > suite order was preferred. You are probably using an ancient version of BSAFE. Your random numbers are probably all ones. Seriously, you need to dump BSAFE. > Now I will have to look into what RSA library is doing here. Leaking like a sieve, probably. > Probably they are setting that Java API too which could be > overwriting our setting in tomcat. If that crypto provider is in use, then it'll likely affect the whole JVM. It just occurred to me that Tomcat doesn't have a setting for the crypto provider to use for TLS itself... only for the various "stores", etc. We probably ought to add that, and then you could choose "JSSE" as your provider and avoid BSAFE. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlngLCgACgkQHPApP6U8 pFjanhAAkTNcGk5/X6b9aK2gYcSDdTjkE879XA77KGYwWDF2L01jtSdF7ejnCcuN 4lfivY/V5TaiKv0EZrU1YVC2psBZVK5CjfsCIfUZe5gOmqRRtxm8vRARULOY31oQ tm4Hf3PHVXuKa/ZBQutLFOolJo7IhaYP3CtBqE+i7OWSlyy0dsqdqO40z9+vzt2n DBiMRXl0Y2HGCeRsm0owdsFFDqA/j0xcCTBjgckgR6TcnRPc926FZVmr+q53DEQ1 rYVo3Kfum7AnLP3y4rVT0SsxavjI48aXqCLKcM9RzRJ//D+p9teOeiHiUtu4CzHY aQmkV22N6LC3M5uBwNNU1xXr62SNiarqY7euurPhPcOkbQSi4ckfknh48JzenQ41 Ws7XvuLGOmTcLOv+rsKYjBd5s6IxuBH/+k5MfttPQaZ8mHAieMjEnVszmjZon2rE Mqqcd+C5Z0q2/X9wUAwNAD3muQTzx2A8C3uucJHVygvwNy76UCUCoyLakQ98/8WL 3SKN2l3EddObdi4OUrfga80ZTLf0AnBoflmKz+2UAbP3Xit++XHBs5dBgvN51Tji d6IdBRJpSq/njZmnSGQYJ/4o07v31YgLjh+xZTS+8wxm5H3C4V6/IuWlsnYPZWi5 YQRe0GPZw54IuLs9WZG6AbNcAzhGOW+OBIMGbzSKQukeLAVpjws= =KUgn -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
