On 08/01/18 19:34, john.e.gr...@wellsfargo.com.INVALID wrote:
> All,
>
> I'm using Tomcat 7.0.82 and java 1.8.0_152.
>
> I cannot get Tomcat to accept elliptic curve ciphers. I've written a small
> SSL socket server that uses the same certificate as the server and deployed
> it on the same machine using the same JDK. It accepts EC ciphers just fine
> so I don't think there is anything in the JDK that has disabled them, etc.
> With verbose SSL enabled, Tomcat, however, complains about
> "http-bio-7114-exec-4, handling exception:
> javax.net.ssl.SSLHandshakeException: no cipher suites in common."
>
> If I omit the "ciphers" property of the connector, I get this:
>
> No available cipher suite for TLSv1
> No available cipher suite for TLSv1.1
> No available cipher suite for TLSv1.2
>
> If I set ciphers="ALL," I'm back to "no cipher suites in common."
>
> If I explicitly tell Tomcat to accept TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
> which works with my socket server, I get "No appropriate protocol (protocol
> is disabled or cipher suites are inappropriate)."
>
> BTW I have an RSA cert on the server with a 2048-bit key and signed using
> SHA256withRSA.
>
> One of the connector configs I've tried.
>
> <Connector port="7114"
> protocol="HTTP/1.1"
> SSLEnabled="true"
> maxThreads="400"
> maxKeepAliveRequests="100"
> keepAliveTimeout="10000"
> scheme="https"
> secure="true"
> clientAuth="true"
> sessionCacheSize="5"
> sslProtocol="TLS"
> keystoreFile="/path/to/keystore"
> keystorePass="${keystore.password}"
> keyAlias="test"
> truststoreFile="/path/to/cacerts"
> truststorePass="${truststore.password}"
> allowUnsafeLegacyRenegotiation="false"
> />
Try getting it to work without client authentication to start with.
I don't see anything that jumps out as wrong in the above.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
