Hello John,
Technically, Java 1.8 provides the ciphers which are used by Tomcat and it
definitely supports a lot of EC ciphers:
https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#ciphersuites
Do you get the HandShakeException when you access the Tomcat directly or using
webserver?
Also, I use a small script to get the list of supported ciphers for each
Protocol, as below:
------
#!/bin/sh
for v in tls1; do #you can use tls1_1 or tls1_2 in place of tls1, which is the
protocol)
for c in $(openssl ciphers 'ALL:eNULL' | tr ':' ' '); do
openssl s_client -connect TOMCAT-SEREVE:HTTPS-Port \
-cipher $c -$v < /dev/null > /dev/null 2>&1 && echo -e "$v:\t$c"
done
done
---------
Thank you,
Vamsi Gali
-----Original Message-----
From: john.e.gr...@wellsfargo.com.INVALID
[mailto:john.e.gr...@wellsfargo.com.INVALID]
Sent: Monday, January 08, 2018 2:35 PM
To: users@tomcat.apache.org
Subject: Why will Tomcat not accept EC cipher suites?
All,
I'm using Tomcat 7.0.82 and java 1.8.0_152.
I cannot get Tomcat to accept elliptic curve ciphers. I've written a small SSL
socket server that uses the same certificate as the server and deployed it on
the same machine using the same JDK. It accepts EC ciphers just fine so I
don't think there is anything in the JDK that has disabled them, etc. With
verbose SSL enabled, Tomcat, however, complains about "http-bio-7114-exec-4,
handling exception: javax.net.ssl.SSLHandshakeException: no cipher suites in
common."
If I omit the "ciphers" property of the connector, I get this:
No available cipher suite for TLSv1
No available cipher suite for TLSv1.1
No available cipher suite for TLSv1.2
If I set ciphers="ALL," I'm back to "no cipher suites in common."
If I explicitly tell Tomcat to accept TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
which works with my socket server, I get "No appropriate protocol (protocol is
disabled or cipher suites are inappropriate)."
BTW I have an RSA cert on the server with a 2048-bit key and signed using
SHA256withRSA.
One of the connector configs I've tried.
<Connector port="7114"
protocol="HTTP/1.1"
SSLEnabled="true"
maxThreads="400"
maxKeepAliveRequests="100"
keepAliveTimeout="10000"
scheme="https"
secure="true"
clientAuth="true"
sessionCacheSize="5"
sslProtocol="TLS"
keystoreFile="/path/to/keystore"
keystorePass="${keystore.password}"
keyAlias="test"
truststoreFile="/path/to/cacerts"
truststorePass="${truststore.password}"
allowUnsafeLegacyRenegotiation="false"
/>
Thanks
John
This communication may contain privileged and/or confidential information. It
is intended solely for the use of the addressee. If you are not the intended
recipient, you are strictly prohibited from disclosing, copying, distributing
or using any of this information. If you received this communication in error,
please contact the sender immediately and destroy the material in its entirety,
whether electronic or hard copy. This communication may contain nonpublic
personal information about consumers subject to the restrictions of the
Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose
such information for any purpose other than to provide the services for which
you are receiving the information.
127 Public Square, Cleveland, OH 44114
If you prefer not to receive future e-mail offers for products or services from
Key
send an e-mail to mailto:dnereque...@key.com with 'No Promotional E-mails' in
the
SUBJECT line.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
