-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 John,
On 1/8/18 6:28 PM, john.e.gr...@wellsfargo.com.INVALID wrote: > Chris and Mark, >> -----Original Message----- From: Christopher Schultz >> [mailto:ch...@christopherschultz.net] Sent: Monday, January 08, >> 2018 5:21 PM To: users@tomcat.apache.org Subject: Re: Why will >> Tomcat not accept EC cipher suites? >> >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >> >> Mark, >> >> On 1/8/18 3:36 PM, Mark Thomas wrote: >>> On 08/01/18 19:34, john.e.gr...@wellsfargo.com.INVALID wrote: >>>> All, >>>> >>>> I'm using Tomcat 7.0.82 and java 1.8.0_152. >>>> >>>> I cannot get Tomcat to accept elliptic curve ciphers. I've >>>> written a small SSL socket server that uses the same >>>> certificate as the server and deployed it on the same machine >>>> using the same JDK. It accepts EC ciphers just fine so I >>>> don't think there is anything in the JDK that has disabled >>>> them, etc. With verbose SSL enabled, Tomcat, however, >>>> complains about "http-bio-7114-exec-4, handling exception: >>>> javax.net.ssl.SSLHandshakeException: no cipher suites in >>>> common." >>>> >>>> If I omit the "ciphers" property of the connector, I get >>>> this: >>>> >>>> No available cipher suite for TLSv1 No available cipher suite >>>> for TLSv1.1 No available cipher suite for TLSv1.2 >>>> >>>> If I set ciphers="ALL," I'm back to "no cipher suites in >>>> common." >>>> >>>> If I explicitly tell Tomcat to accept >>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, which works with my >> socket >>>> server, I get "No appropriate protocol (protocol is disabled >>>> or cipher suites are inappropriate)." >>>> >>>> BTW I have an RSA cert on the server with a 2048-bit key and >>>> signed using SHA256withRSA. >>>> >>>> One of the connector configs I've tried. >>>> >>>> <Connector port="7114" protocol="HTTP/1.1" SSLEnabled="true" >>>> maxThreads="400" maxKeepAliveRequests="100" >>>> keepAliveTimeout="10000" scheme="https" secure="true" >>>> clientAuth="true" sessionCacheSize="5" sslProtocol="TLS" >>>> keystoreFile="/path/to/keystore" >>>> keystorePass="${keystore.password}" keyAlias="test" >>>> truststoreFile="/path/to/cacerts" >>>> truststorePass="${truststore.password}" >>>> allowUnsafeLegacyRenegotiation="false" /> >>> >>> Try getting it to work without client authentication to start >>> with. >> >> +1 >> >>> I don't see anything that jumps out as wrong in the above. >> >> Also, John, what client are you using to test? >> >> - -chris > > At Mark's suggestion, I disabled client auth, but it didn't make > any difference. The handshake fails before it even gets to that > step. > > I'm using several different clients, including HP Performance > Center, openssl, and a couple of java clients that I wrote myself > (one uses SSLSocket directly and one uses HttpsUrlConnection.) > > Currently I'm looking at the JDK's ServerHandshaker class to make > sure I understand the log messages. Are you doing something mundane such as: $ openssl s_client -connect example.com:8443 ? I would expect that to be able to negotiate a TLS connection with a pretty standard Tomcat with TLS enabled (and nothing in particular specified for ciphers, protocols, etc.). - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlpUJcYACgkQHPApP6U8 pFiGUw//dGvchPx3LJXppfaY9Uk0QVozT+PhVYnl+tBO06KMszJIuhrPQOVKZP/B lgmeFWYkFDsP2XwPPYaPmEoN0vMjA5+a0Mgkje3fYanFbyyPHxfhEIJwbruRkWYY t4suZfemQa5OuaEJ2mfPQS6fxKy7K3+T/RaE16u9MDFKDmnj5qQ0oliKQ5q41RDZ eyu3mdPIlsfPyDwtC1nq+8Io4DJsGxQJSRhSz0fN3zirgGIo/JqKgPLZxX3jq7Qz 4y+J1ST2sNEXOq7FVAhs0WKdMBebkO1A+Tj5AZmtR+1Q9UT+75pzTk4ZKD0gftpY hipkqqmCcIYabjf+COO9pIn0kH2YEZIwR0fN0+M6plvW1O7jQaNn4csWaVYSs0c6 TYZeTawtNuR6z15fpUnwkThMEaJQ38aLNMtJIKQW2/R8UnjPvlJGk8TO0Iyo5qg1 ypx46FVWI0Xy/hrwUkprudMJLCymUxZnfeIC4wEV1Gn7Q98Dr2WtFUtPw7Yp7mwW EYrwYee7GNxHxzvyHXoeJczCOfmVFDOewHVLnNNj1XbYn7j9GbCMpxZWnObar0nz mbhXfy2hqiMNx9+F/19zBglsAKopRm5FATdZgRAuuYyRvG6G7vZUzHqsKdS1yfHM T22ydajMZyVGignnwU4Ik8P8OTW6b7pRQZVYqF7gq10GOSP5MmE= =oljv -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
