-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mark,
On 1/8/18 3:36 PM, Mark Thomas wrote:
> On 08/01/18 19:34, john.e.gr...@wellsfargo.com.INVALID wrote:
>> All,
>>
>> I'm using Tomcat 7.0.82 and java 1.8.0_152.
>>
>> I cannot get Tomcat to accept elliptic curve ciphers. I've
>> written a small SSL socket server that uses the same certificate
>> as the server and deployed it on the same machine using the same
>> JDK. It accepts EC ciphers just fine so I don't think there is
>> anything in the JDK that has disabled them, etc. With verbose
>> SSL enabled, Tomcat, however, complains about
>> "http-bio-7114-exec-4, handling exception:
>> javax.net.ssl.SSLHandshakeException: no cipher suites in
>> common."
>>
>> If I omit the "ciphers" property of the connector, I get this:
>>
>> No available cipher suite for TLSv1 No available cipher suite for
>> TLSv1.1 No available cipher suite for TLSv1.2
>>
>> If I set ciphers="ALL," I'm back to "no cipher suites in
>> common."
>>
>> If I explicitly tell Tomcat to accept
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, which works with my socket
>> server, I get "No appropriate protocol (protocol is disabled or
>> cipher suites are inappropriate)."
>>
>> BTW I have an RSA cert on the server with a 2048-bit key and
>> signed using SHA256withRSA.
>>
>> One of the connector configs I've tried.
>>
>> <Connector port="7114" protocol="HTTP/1.1" SSLEnabled="true"
>> maxThreads="400" maxKeepAliveRequests="100"
>> keepAliveTimeout="10000" scheme="https" secure="true"
>> clientAuth="true" sessionCacheSize="5" sslProtocol="TLS"
>> keystoreFile="/path/to/keystore"
>> keystorePass="${keystore.password}" keyAlias="test"
>> truststoreFile="/path/to/cacerts"
>> truststorePass="${truststore.password}"
>> allowUnsafeLegacyRenegotiation="false" />
>
> Try getting it to work without client authentication to start
> with.
+1
> I don't see anything that jumps out as wrong in the above.
Also, John, what client are you using to test?
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlpT/MsdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFjrXQ/6A78mHnM8u2MLgcJw
Uugo3S+M7WW7Zb90oV0fUtUbo7bM4nQvz3cjQhkl0Wc57iyph3y87pYtRSgLPWS8
ngeVAQX1STsLKTLwh0rg7EHTfyScvx35a5ytxbK8iAe7dxAjGMYHBno0ksFlfQBm
FAcTYe1HohdND38xRHfXk7ZlyTtPk4Moc4RbrhQH6y7t1m2H/yj0ftDL2ZmFqrLE
JQjdcfDj5qSzWrz6TJ4yBRm4oGcMmuAspgNEMojV/YJKpvSiVR9e/UiDNbTV9vyh
S5xDjH/arGMo08L1ckIsqGQnmzepLFt2WwPt2PQnP0rb/qB1MGlrKEa7WIpqqQum
luIwkp4j5v1VphjovWvLfWgDi5F+eYWUAuCe9mJ4CHpys1tcOk33ef364EZOefjo
D+3+PT6aJ4ovShPBtIUoQ90RSO5WAflZvH+rvxH6kRpxKVH+5j91HAvbJjKECfMZ
AAqZ1E6gDuue3mD1xC3CqDlw0ENHLsEuISntayR/ar9n0KtDPlSBC5iTtR4jYdOT
6ZRlgH0RMHzVlwFqSF40LDFbmGreENhUCdisPcNf+RlWRfUvnSphMR4Sx7/0Bhe3
F6FrCnd00OSsMwhMYkEIjfPz/hPsWgo1tUJu0Cgw7XwIzwaSHKTP0dk/MgDsl85m
4XjOFDGvQ5koTAHl9hFuc8l3ATg=
=eXXo
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
