On 08/01/18 19:34, john.e.gr...@wellsfargo.com.INVALID wrote: > All, > > I'm using Tomcat 7.0.82 and java 1.8.0_152. > > I cannot get Tomcat to accept elliptic curve ciphers. I've written a small > SSL socket server that uses the same certificate as the server and deployed > it on the same machine using the same JDK. It accepts EC ciphers just fine > so I don't think there is anything in the JDK that has disabled them, etc. > With verbose SSL enabled, Tomcat, however, complains about > "http-bio-7114-exec-4, handling exception: > javax.net.ssl.SSLHandshakeException: no cipher suites in common." > > If I omit the "ciphers" property of the connector, I get this: > > No available cipher suite for TLSv1 > No available cipher suite for TLSv1.1 > No available cipher suite for TLSv1.2 > > If I set ciphers="ALL," I'm back to "no cipher suites in common." > > If I explicitly tell Tomcat to accept TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, > which works with my socket server, I get "No appropriate protocol (protocol > is disabled or cipher suites are inappropriate)." > > BTW I have an RSA cert on the server with a 2048-bit key and signed using > SHA256withRSA. > > One of the connector configs I've tried. > > <Connector port="7114" > protocol="HTTP/1.1" > SSLEnabled="true" > maxThreads="400" > maxKeepAliveRequests="100" > keepAliveTimeout="10000" > scheme="https" > secure="true" > clientAuth="true" > sessionCacheSize="5" > sslProtocol="TLS" > keystoreFile="/path/to/keystore" > keystorePass="${keystore.password}" > keyAlias="test" > truststoreFile="/path/to/cacerts" > truststorePass="${truststore.password}" > allowUnsafeLegacyRenegotiation="false" > />
Try getting it to work without client authentication to start with. I don't see anything that jumps out as wrong in the above. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org