Chris and Mark,
> -----Original Message----- > From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Sent: Monday, January 08, 2018 5:21 PM > To: users@tomcat.apache.org > Subject: Re: Why will Tomcat not accept EC cipher suites? > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Mark, > > On 1/8/18 3:36 PM, Mark Thomas wrote: > > On 08/01/18 19:34, john.e.gr...@wellsfargo.com.INVALID wrote: > >> All, > >> > >> I'm using Tomcat 7.0.82 and java 1.8.0_152. > >> > >> I cannot get Tomcat to accept elliptic curve ciphers. I've written a > >> small SSL socket server that uses the same certificate as the server > >> and deployed it on the same machine using the same JDK. It accepts > >> EC ciphers just fine so I don't think there is anything in the JDK > >> that has disabled them, etc. With verbose SSL enabled, Tomcat, > >> however, complains about "http-bio-7114-exec-4, handling exception: > >> javax.net.ssl.SSLHandshakeException: no cipher suites in common." > >> > >> If I omit the "ciphers" property of the connector, I get this: > >> > >> No available cipher suite for TLSv1 No available cipher suite for > >> TLSv1.1 No available cipher suite for TLSv1.2 > >> > >> If I set ciphers="ALL," I'm back to "no cipher suites in common." > >> > >> If I explicitly tell Tomcat to accept > >> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, which works with my > socket > >> server, I get "No appropriate protocol (protocol is disabled or > >> cipher suites are inappropriate)." > >> > >> BTW I have an RSA cert on the server with a 2048-bit key and signed > >> using SHA256withRSA. > >> > >> One of the connector configs I've tried. > >> > >> <Connector port="7114" protocol="HTTP/1.1" SSLEnabled="true" > >> maxThreads="400" maxKeepAliveRequests="100" > >> keepAliveTimeout="10000" scheme="https" secure="true" > >> clientAuth="true" sessionCacheSize="5" sslProtocol="TLS" > >> keystoreFile="/path/to/keystore" > >> keystorePass="${keystore.password}" keyAlias="test" > >> truststoreFile="/path/to/cacerts" > >> truststorePass="${truststore.password}" > >> allowUnsafeLegacyRenegotiation="false" /> > > > > Try getting it to work without client authentication to start with. > > +1 > > > I don't see anything that jumps out as wrong in the above. > > Also, John, what client are you using to test? > > - -chris At Mark's suggestion, I disabled client auth, but it didn't make any difference. The handshake fails before it even gets to that step. I'm using several different clients, including HP Performance Center, openssl, and a couple of java clients that I wrote myself (one uses SSLSocket directly and one uses HttpsUrlConnection.) Currently I'm looking at the JDK's ServerHandshaker class to make sure I understand the log messages. Thanks
