All,
I'm using Tomcat 7.0.82 and java 1.8.0_152.
I cannot get Tomcat to accept elliptic curve ciphers. I've written a small SSL
socket server that uses the same certificate as the server and deployed it on
the same machine using the same JDK. It accepts EC ciphers just fine so I
don't think there is anything in the JDK that has disabled them, etc. With
verbose SSL enabled, Tomcat, however, complains about "http-bio-7114-exec-4,
handling exception: javax.net.ssl.SSLHandshakeException: no cipher suites in
common."
If I omit the "ciphers" property of the connector, I get this:
No available cipher suite for TLSv1
No available cipher suite for TLSv1.1
No available cipher suite for TLSv1.2
If I set ciphers="ALL," I'm back to "no cipher suites in common."
If I explicitly tell Tomcat to accept TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
which works with my socket server, I get "No appropriate protocol (protocol is
disabled or cipher suites are inappropriate)."
BTW I have an RSA cert on the server with a 2048-bit key and signed using
SHA256withRSA.
One of the connector configs I've tried.
<Connector port="7114"
protocol="HTTP/1.1"
SSLEnabled="true"
maxThreads="400"
maxKeepAliveRequests="100"
keepAliveTimeout="10000"
scheme="https"
secure="true"
clientAuth="true"
sessionCacheSize="5"
sslProtocol="TLS"
keystoreFile="/path/to/keystore"
keystorePass="${keystore.password}"
keyAlias="test"
truststoreFile="/path/to/cacerts"
truststorePass="${truststore.password}"
allowUnsafeLegacyRenegotiation="false"
/>
Thanks
John
